If the card is used while the server is unaware of it, or when the server thinks the card is used while in reality it is not, the card and the server loose sync. The server expects other codes than the card provides. Here's what to do.

Your Sesame card and the server are synchronised. The server knows what the next code will be, and anything else will be rejected. This works well in everyday use, but in special situations the synchronisation can be lost. So don't let children play with the card and reader ;-)

Resynchronising

The basic idea of resynchronisation is that the server searches for codes that it thinks would occur in the future or that have occurred in the past. If your card 'used up' codes without sending them to the server, it will find those codes by doing this future-value lookup. If you or someone else claimed to have presented your card without actually using it, a later transaction with cards that actually come from the card will result in a match in the card's past.

To avoid abuse of this mechanism to enter arbitrary codes, the server will not ask for one code, but for a sequence of two codes in immediate succession. The chances of guessing these right would be one in a trillion, so looking ahead for quite a bit of the future is no security problem.

The way this works in practice is that you try to enter a confirmation code, but that code is going to be wrong. The server will respond by asking a second code from your card, and use it to look ahead in the sequence.

If this succeeds, the confirmed action will be executed. If it fails, your account or Sesame card will be blocked for a progressively longer time.

Related issue: The support for wrong entry uses the same interface. The server supports these two ways out after an unexpected entry; one is resynchronising based on the sequence of two numbers as described above, and the other is entering a second number properly.

What if the Sesame card and server get out of sync?

Resynchronising