diff --git a/common/hal_sdk/useridm_interface.cpp b/common/hal_sdk/useridm_interface.cpp
index 549cd93d761575c3b13da0b5ba811d293dc0538f..986f704826c7c793f67da7089de7834447aa8dd7 100644
--- a/common/hal_sdk/useridm_interface.cpp
+++ b/common/hal_sdk/useridm_interface.cpp
@@ -207,6 +207,7 @@ int32_t DeleteUserEnforce(int32_t userId, std::vector<CredentialInfo> &credentia
         GlobalUnLock();
         return ret;
     }
+    RefreshValidTokenTime();
     for (int i = 0; i < num; i++) {
         CredentialInfo credentialInfo;
         if (memcpy_s(&credentialInfo, sizeof(CredentialInfo),
@@ -247,7 +248,8 @@ int32_t DeleteUser(int32_t userId, std::vector<uint8_t> authToken, std::vector<C
         GlobalUnLock();
         return ret;
     }
-    if (challenge != authTokenStruct.challenge || UserAuthTokenVerify(&authTokenStruct) != RESULT_SUCCESS) {
+    if (challenge != authTokenStruct.challenge || !IsValidTokenTime(authTokenStruct.time) ||
+        UserAuthTokenVerify(&authTokenStruct) != RESULT_SUCCESS) {
         LOG_ERROR("verify token failed");
         GlobalUnLock();
         return RESULT_BAD_SIGN;
@@ -279,6 +281,7 @@ int32_t UpdateCredential(std::vector<uint8_t> enrollToken, uint64_t &credentialI
         GlobalUnLock();
         return ret;
     }
+    RefreshValidTokenTime();
     if (memcpy_s(&deletedCredential, sizeof(CredentialInfo), &credentialInfoHal, sizeof(CredentialInfoHal)) != EOK) {
         LOG_ERROR("copy failed");
         GlobalUnLock();
diff --git a/common/idm/inc/idm_session.h b/common/idm/inc/idm_session.h
index e0acda7cabae2a6e20ff5898a645282f30cb29c7..b0e8b877356d5ff3cde718925f79ad0e52a101b2 100644
--- a/common/idm/inc/idm_session.h
+++ b/common/idm/inc/idm_session.h
@@ -31,4 +31,7 @@ ResultCode GetUserId(int32_t *userId);
 ResultCode GetChallenge(uint64_t *challenge);
 ResultCode GetScheduleId(uint64_t *scheduleId);
 
+void RefreshValidTokenTime();
+bool IsValidTokenTime(uint64_t tokenTime);
+
 #endif // USER_IDM_SESSION_H
\ No newline at end of file
diff --git a/common/idm/inc/user_idm_funcs.h b/common/idm/inc/user_idm_funcs.h
index 4702d0c35cd50df762685cb605e6e4d10bbefef1..87b5ae97e62c4706dd96a7142410cc098162633f 100644
--- a/common/idm/inc/user_idm_funcs.h
+++ b/common/idm/inc/user_idm_funcs.h
@@ -23,8 +23,8 @@
 typedef struct {
     uint8_t token[AUTH_TOKEN_LEN];
     int32_t userId;
-    uint32_t authSubType;
     uint32_t authType;
+    uint64_t authSubType;
 } PermissionCheckParam;
 
 typedef struct {
diff --git a/common/idm/src/idm_session.c b/common/idm/src/idm_session.c
index e44511fcd23ba262c81316d9d5bee6a49258d0a0..f460d265f04a52a5b520689952f7d318da09a1a6 100644
--- a/common/idm/src/idm_session.c
+++ b/common/idm/src/idm_session.c
@@ -31,6 +31,7 @@ struct SessionInfo {
     bool isScheduleValid;
     int32_t userId;
     uint64_t time;
+    uint64_t validAuthTokenTime;
     uint64_t challenge;
 } *g_session;
 
@@ -82,12 +83,31 @@ ResultCode OpenEditSession(int32_t userId, uint64_t *challenge)
         return RESULT_GENERAL_ERROR;
     }
     g_session->time = GetSystemTime();
+    g_session->validAuthTokenTime = g_session->time;
 
     *challenge = g_session->challenge;
     g_session->isScheduleValid = false;
     return RESULT_SUCCESS;
 }
 
+void RefreshValidTokenTime()
+{
+    if (!IsSessionExist()) {
+        LOG_ERROR("session is invalid");
+        return;
+    }
+    g_session->validAuthTokenTime = GetSystemTime();
+}
+
+bool IsValidTokenTime(uint64_t tokenTime)
+{
+    if (!IsSessionExist()) {
+        LOG_ERROR("session is invalid");
+        return false;
+    }
+    return tokenTime >= g_session->validAuthTokenTime;
+}
+
 ResultCode CloseEditSession()
 {
     if (!IsSessionExist()) {
diff --git a/common/idm/src/user_idm_funcs.c b/common/idm/src/user_idm_funcs.c
index fd1af406343e3443723b5883863214343d536bbf..fa3e7a7c663c33b15c207054c02deb2abde204f3 100644
--- a/common/idm/src/user_idm_funcs.c
+++ b/common/idm/src/user_idm_funcs.c
@@ -31,11 +31,16 @@ static int32_t PinPermissionCheck(int32_t userId, UserAuthTokenHal *authToken)
     if (ret == RESULT_NOT_FOUND) {
         return RESULT_SUCCESS;
     } else if (ret == RESULT_SUCCESS) {
+        LOG_INFO("pin already exists, legal token is required");
         uint64_t challenge;
         ret = GetChallenge(&challenge);
         if (ret != RESULT_SUCCESS || challenge != authToken->challenge) {
-            LOG_ERROR("check challenge failed");
-            return RESULT_BAD_SIGN;
+            LOG_ERROR("check challenge failed, token is invalid");
+            return RESULT_BAD_MATCH;
+        }
+        if (!IsValidTokenTime(authToken->time)) {
+            LOG_ERROR("check token time failed, token is invalid");
+            return RESULT_VERIFY_TOKEN_FAIL;
         }
         return UserAuthTokenVerify(authToken);
     } else {
@@ -55,8 +60,12 @@ static int32_t FacePermissionCheck(int32_t userId, UserAuthTokenHal *authToken)
     uint64_t challenge;
     ret = GetChallenge(&challenge);
     if (ret != RESULT_SUCCESS || challenge != authToken->challenge) {
-        LOG_ERROR("check challenge failed");
-        return RESULT_BAD_SIGN;
+        LOG_ERROR("check challenge failed, token is invalid");
+        return RESULT_BAD_MATCH;
+    }
+    if (!IsValidTokenTime(authToken->time)) {
+        LOG_ERROR("check token time failed, token is invalid");
+        return RESULT_VERIFY_TOKEN_FAIL;
     }
     return UserAuthTokenVerify(authToken);
 }