diff -r b9eb748ac1e4 -r 31387f4022e5 yms/backend.php
--- a/yms/backend.php	Mon Apr 11 11:23:30 2016 -0400
+++ b/yms/backend.php	Wed Jan 11 13:02:34 2017 +0000
@@ -347,22 +347,20 @@
     return 'REPLAYED_OTP';
   }
   
-  // update DB
-  $q = $db->sql_query("UPDATE " . table_prefix . "yms_yubikeys SET session_count = {$otp['session']}, token_count = {$otp['count']}, access_time = " . time() . ", token_time = {$otp['timestamp']} WHERE id = $yubikey_id;");
-  if ( !$q )
-    $db->_die();
-  
   // check timestamp
   if ( $otp['session'] == $session_count )
   {
     $expect_delta = time() - $access_time;
-    // 8Hz Yubikey internal clock
-    $actual_delta = intval(( $otp['timestamp'] - $token_time ) / 8);
-    $fuzz = 150;
+    // Tolerate up to a 0.5Hz deviance from 8Hz. I've observed Yubikey
+    // clocks running at 8.32Hz
+    $actual_delta = $otp['timestamp'] - $token_time;
+    $fuzz = 150 + round(($actual_delta / 7.5) - ($actual_delta / 8.5));
+    // Now that we've calculated fuzz, convert the actual delta to quasi-seconds
+    $actual_delta /= 8;
     if ( !yms_within($expect_delta, $actual_delta, $fuzz) )
     {
       // if we have a likely wraparound, just pass it
-      if ( !($token_time > 0xe80000 && $otp['timestamp'] < 0x800000) )
+      if ( !($token_time > 0xe80000 && $otp['timestamp'] < 0x080000) )
       {
         return 'BAD_OTP';
       }
@@ -370,6 +368,11 @@
     // $debug_array = array('ts_debug_delta_expected' => $expect_delta, 'ts_debug_delta_received' => $actual_delta);
   }
   
+  // update DB
+  $q = $db->sql_query("UPDATE " . table_prefix . "yms_yubikeys SET session_count = {$otp['session']}, token_count = {$otp['count']}, access_time = " . time() . ", token_time = {$otp['timestamp']} WHERE id = $yubikey_id;");
+  if ( !$q )
+    $db->_die();
+  
   // looks like we're good
   return 'OK';
 }