This article describes the situation when hard tokens are showing an error status and how to fix it. 

In the CLI, it gives the following error:

FortiGate # diag fortitoken info
FORTITOKEN DRIFT STATUS
FTK200BAA0000000 0 token already activated, and seed won't be returned
FTK200BAA0000001 0 token already activated, and seed won't be returned

Total activated token: 21
Total global activated token: 21

Token server status: reachable

• Those Tokens need to be reset on the server side (Need to open a support ticket with TAC Support for that).

• Provide the FortiToken S/N  list for the FortiTokens that want to reset.
• At the Hardware page at the FortiGate, check all the Hard Tokens that are used by the end users in the account.
• Only the unassigned Hard Tokens can be deleted.

• The FortiTokens with the Serial Number Prefix FortiToken 200, FortiToken 210 and FortiToken 220 can be reset for TAC Support.
• The FortiTokens with Serial Number Prefix FortiToken 200CD and FortiToken 200BCD (with the serial number prefix FortiToken 211) are not supported.
• Those FortiToken can be reset only with an activation file on the CD.
• Those models are distributed with a CD that contains encrypted data for the FortiToken to work.  Keep the CD protected and don't lose it.
• After resetting the tokens on the server side, they can be activated from User & Authentication -> FortiTokens page or the following command.

• It might take a few minutes to update.

FortiGate # exec fortitoken activate  FTK200BAA0000000
FortiGate # exec fortitoken activate  FTK200BAA0000001