Lost token

1.5.12. Lost token#

The lost token process can be used, when a user has lost his token, or the token is temporary not available.

Manage-UI Users must be granted the admin policy actions “losttoken, tokenowner” to enable this workflow.


After selecting the relevant token, you can click the “Lost token” button. This token is then disabled and the user gets a temporary token. The temporary token could be of type ‘email’ or ‘sms’ or a static password token.


To avoid that anyone can misuse this information the OTP PIN of the lost token is automatically copied to the temporary token. Thus the help desk employee will not know the OTP PIN and can not use the temporary token.

For the password token, the administrator or help desk staff can tell the temporary password to the user on the phone.

For the E-mail or SMS Token, the user must have a valid mobile number or email defined as his user properties - otherwise that token types can not be selected and only static password token is available. Please be aware, that the E-mail or SMS Token will only work, if your email provider or sms provider is correctly configured. The E-mail or SMS Token provider configuration is not checked during token enrollment. As well be aware that the SMS and E-mail Token are challenge response tokens, which are triggered by entering the PIN for the authentication. In case of no pin or otppin_policy=2, it wont be possible for the user to trigger the authentication challenge.

The details of the lost token workflow can be configured with corresponding policies. (see Lost token). There you can define the length of the temporary password token and the duration how long this temporary token is valid.