The counter value of the server is incremented only after successful HOTP authentication, and the counter on the token is incremented every time a new HOTP is requested by the user. The counter values on the server and the counter on the token might be out of synchronization.
To address this, you should have a tree-wide look-ahead or a resynchronization window setting in place. If the server finds that the received HOTP does not correspond to the server counter value, the server can recalculate the next few HOTP values that are within the resynchronization window, and check them against the received HOTP. If there is a match, authentication succeeds and the server counter is set to the counter value that corresponds to the matched HOTP.
For successful authentication the server counter is set to the next counter value at which the authentication succeeds.
The tree-wide resynchronization window setting should be as low as possible in order to restrict the space of possible solutions for an attacker trying to recreate the HOTP values.If the mismatch between the client and server counters is beyond the tree-wide resynchronization window setting, resynchronization can be achieved by temporarily setting a user- specific resynchronization window to a large value and then attempting an HOTP-based authentication.
The nmashotpconf utility should be used for configuring HOTP-based authentication. For more information, read the Configuration section.