1. Say max-offset is 10.
2. A user uses a stale token value that is 10 sequence numbers out of date.
3. The users file will have a -10 recorded for the sequence offset.
4. User uses another stale token value that is -15 stale - allowed because this is within the window [-20, 0] (having radius max-offset = 10).
5. Users file now has -15 recorded for the sequence offset.
6. User is no longer able to login with a current token value, because zero is not inside the window [-25, -5] (having radius max-offset = 10).

To more gracefully handle this scenario, suggest the following: When checking time-based tokens for users having a negative sequence offset, accept token values having any offset between the user's negative sequence offset and zero. So in the above example, we'd use [-25, 0] instead of [-25, -5] as the acceptable window. This allows users who have used stale time-based token values to "catch back up".

Fixed in r100.