Open topic with navigation

5.10 Unlocking cards and resetting PINs

If users type an incorrect PIN several times, their card is locked – this means they cannot use it to log in. Depending on how your system is set up, cardholders may be able to unlock the card themselves, or they may need to call a helpdesk.

5.10.1 Resetting a card's PIN

You can use the Reset Card PIN workflow to change the PIN of another user's card. This workflow allows you to set a new PIN when the card's PIN has become locked; an administrator can specify the authentication methods that you can use to reset the PIN.

To reset the PIN of a card:

1. From the Cards category, click Reset Card PIN.

2. Insert the card you want to reset.

   

3. Select the card, then click Next.

   

   The Person Details tab displays the details for the cardholder – this allows you to confirm that the card belongs to the correct user.

   You can now choose how to authenticate the user's identity.

   The authentication methods available depend on how your administrator has configured your system. See section 5.10.2, PIN reset authentication methods for details.

4. Select the tab for the appropriate authentication method.

   • Card PIN – select this option if the user is present, knows their existing PIN, and the PIN on the card has not been locked. On the Enter New PIN stage after you click Next, you will provide the current PIN as well as the new PIN.

   • Authentication Code – select this option if the user has an authentication code. Type the code that has been provided in the Authentication Code box.

     See section 5.10.8, Requesting an authentication code for details.

   • Security Questions – select this option to provide answers to a selection of the user's security questions.

     See the Setting the number of security phrases required to authenticate section in the Administration Guide for details of configuring how many security phrases are required.

   • Identity Documents – select this option to record the details of the identity documents (for example, passport, driver's license) that the user has presented to you.

     Note: The list of available documents is determined by the Authenticate Person Document1 and Authenticate Person Document2 lists. To edit these lists, use the List Editor. See the Changing List Entries section in the Administration Guide for details.

   • Operator Approval – select this option to record your observations and your reasons for accepting the user's identity.
   • Reject Authentication – select this option to record your observations and your reasons for not accepting the user's identity; you cannot then reset the card's PIN.

5. Click Next.

   

   Note: If you selected the Card PIN authentication method, you must provide the current PIN as well as the new PIN.

6. Type the new PIN and confirm it.
7. Click Continue.

MyID resets the PIN on the card to the new value. Do not remove the card from the reader until the process is complete.

5.10.2 PIN reset authentication methods

You can configure which authentication methods are available in the Reset Card PIN workflow using the Edit Roles workflow. This allows you to select a different set of authentication methods for each role; for example, you may want only senior operators to be able to use the Operator Approval method, while all operators can use the Authentication Code method.

You can also configure MyID to skip the authentication step entirely.

To configure the PIN reset authentication methods:

1. From the Configuration category, select Edit Roles.

2. Under the Reset Card PIN option, select the following options:

   • Identity Documents – select this option to allow the operator to record the details of the documents the user presents (for example, passport, driver's license).

     Note: The list of available documents is determined by the Authenticate Person Document1 and Authenticate Person Document2 lists. To edit these lists, use the List Editor. See the Changing List Entries section in the Administration Guide for details.

   • Operator Approval – select this option to allow the operator to confirm the user's identity without further evidence.
   • Security Questions – select this option to allow authentication using answers to the user's stored security questions.
   • Reject Authentication – select this option to allow the operator to reject the authentication for the user.
   • Card PIN – select this option to allow authentication using the current PIN.
   • Authentication Code – select this option to allow authentication codes.
   • Bypass Authentication – select this option to skip the authentication stage on the Reset Card PIN workflow. Do not select any other authentication methods in conjunction with this option.
3. Click Save Changes.

5.10.3 Resetting your own PIN

You can use the Reset PIN option to change your own PIN at the logon screen. You can use this option to reset your PIN at any time, including when your card has been locked by entering the PIN incorrectly too many times.

To reset your PIN:

1. At the logon screen, click Reset PIN.

2. Complete the authentication requested.

   For example, provide your fingerprints.

   The authentication you provide depends on the setup of your credential profile. See section 5.10.5, Self-service PIN reset authentication for details.

3. Provide your new PIN.

   

4. Click Reset PIN.

5.10.4 Allowing self-service unlocking

You must have the Self-service Unlock option (on the Self-Service page of the Security Settings workflow) set to Yes to allow users to unlock their own cards.

For PIV systems, you also must configure the web service to allow self-service unlock. See the details of the AllowSelfUnlockForPIV option in the Web Service Architecture guide for details.

5.10.5 Self-service PIN reset authentication

Self-service card unlocking at the logon screen enforces flexible authentication requirements based on the credential profile.

When you unlock your card using the Reset PIN option, MyID checks the latest version of the credential profile for the Additional Authentication setting.

• None – no biometric or authentication codes are required. If the Ask Security Questions for Self Service Card Unlock configuration option (on the PINs page of the Security Settings workflow) is set, the user can unlock their card with their security phrases; otherwise, the user cannot unlock their card, and must contact a MyID operator.

• System Default – If the Ask Security Questions for Self Service Card Unlock configuration option (on the PINs page of the Security Settings workflow) is set, the user must provide their security phrases to unlock their card.

  If the Verify fingerprints during card unlock configuration option (on the Biometrics tab of the Operation Settings workflow) is set, the user must provide their fingerprints to unlock their card.

  If neither option is set, the user cannot unlock their card.

  If both options are set, the user must provide both security phrases and biometrics to unlock their card.

• Biometric – biometric authentication is used to unlock the card.
• Authentication Code (Manual) – an authentication code is required to unlock the card. An operator must request an authentication code.
• Authentication Code (Automatic) – an authentication code is emailed to the applicant when the card is issued; this is not suitable for unlocking.

To allow biometric authentication when logging on to MyID to perform a PIN reset, you must set the following:

• In the Security Settings workflow, on the Logon Mechanisms tab, set the Biometric Logon option.
• In the Edit Roles workflow, add the Bio Unlock My Card workflow to the permissions for the roles you want to be able to reset PINs using biometric authentication.
• In the Edit Roles workflow, on the Logon Methods screen, select Biometric Logon as a logon mechanism for the roles that have access to the Bio Unlock My Card workflow.
• In the Operation Settings workflow, on the Biometrics tab, set the Allow Biometric PIN Reset option.

To allow authentication codes or security phrases to be used when logging on to MyID to perform a PIN reset, you must set the following:

• In the Security Settings workflow, on the Logon Mechanisms tab, set the Password Logon option.
• In the Edit Roles workflow, on the Logon Methods screen, select Password as a logon mechanism for the roles you want to be able to use authentication codes or security phrases to perform a PIN reset.
• If you want to allow password or authentication code logon to MyID for the purpose of PIN resets, but not for general logon, you can prevent password logon for cases where the user does not also have their card present; in the Security Settings workflow, on the Logon tab, set the Prevent Direct Password Logon option to Yes.

5.10.6 Unlocking a credential remotely

Users may need to contact their helpdesk to unlock their credentials (for example, smart cards, mobile devices, VSCs). The helpdesk operator can use the Unlock Credential workflow to provide a code that unlocks the card.

If the user has a locked smart card, and is physically present so that you can insert the card into a card reader on the operator's machine, you can use Reset Card PIN instead – see section 5.10.1, Resetting a card's PIN.

Note: Some smart card types do not support remote unlocking. See the Smart Card Integration Guide for details of those that do.

• IKB-183 –MyID does not check expiry dates on identity documents

  In the Unlock Credential workflow, MyID does not check the expiry date of any identity documents you provide to confirm the card holder's identity. If your organization's procedures require this check. you must verify the expiry date manually before proceeding.

To unlock a card remotely:

1. From the Cards category, click Unlock Credential.

   

2. Enter the search criteria for the person who owns the credential you want to unlock, then click Search.

   See section 2.2.2, Entering search criteria for details of entering search criteria.

3. From the list of matching records, select the person to search for any credentials belonging to them.

   

4. Select the device you want to unlock.

   

   The Person Details tab displays the details for the cardholder – this allows you to confirm that the card belongs to the correct user.

   You can now choose how to authenticate the user's identity.

   The authentication methods available depend on how your administrator has configured your system. See section 5.10.7, Remote unlock authentication methods for details.

5. Select the tab for the appropriate authentication method.

   • Authentication Code – select this option if the user has an authentication code. Type the code that has been provided in the Authentication Code box.

     See section 5.10.8, Requesting an authentication code for details.

   • Security Questions – select this option to provide answers to a selection of the user's security questions.

     See the Setting the number of security phrases required to authenticate section in the Administration Guide for details of configuring how many security phrases are required.

   • Identity Documents – select this option to record the details of the identity documents (for example, passport, driver's license) that the user has presented to you.

     Note: The list of available documents is determined by the Authenticate Person Document1 and Authenticate Person Document2 lists. To edit these lists, use the List Editor. See the Changing List Entries section in the Administration Guide for details.

   • Operator Approval – select this option to record your observations and your reasons for accepting the user's identity.
   • Reject Authentication – select this option to record your observations and your reasons for not accepting the user's identity; you cannot then reset the card's PIN.

6. Click Next.

   

7. Ask the credential owner to read out the challenge code, and type it into the boxes provided.

8. Click Generate Response.

   

9. Read out the response code to the credential owner.
10. Provide details of the operation – whether the unlock was successful, and any details you want to add.
11. Click Next to complete the workflow.

5.10.7 Remote unlock authentication methods

You can configure which authentication methods are available in the Unlock Credential workflow using the Edit Roles workflow. This allows you to select a different set of authentication methods for each role; for example, you may want only senior operators to be able to use the Operator Approval method, while all operators can use the Authentication Code method.

You can also configure MyID to skip the authentication step entirely.

To set up authentication methods for unlocking:

1. From the Configuration category, select Edit Roles.

2. Under the Unlock Credential option, select the following options:

   • Identity Documents – select this option to allow the operator to record the details of the documents the user presents (for example, passport, driver's license).

     Note: The list of available documents is determined by the Authenticate Person Document1 and Authenticate Person Document2 lists. To edit these lists, use the List Editor. See the Changing List Entries section in the Administration Guide for details.

   • Operator Approval – select this option to allow the operator to confirm the user's identity without further evidence.
   • Security Questions – select this option to allow authentication using answers to the user's stored security questions.
   • Reject Authentication – select this option to allow the operator to reject the authentication for the user.
   • Authentication Code – select this option to allow authentication codes.
   • Bypass Authentication – select this option to skip the authentication stage on the Unlock Credential workflow. Do not select any other authentication methods in conjunction with this option.

   Assign these options to the appropriate roles; for example, you may want users who have one role to use security questions, and users who have another role to use authentication codes.

3. Click Save Changes.

5.10.8 Requesting an authentication code

The Request Auth Code workflow allows you to request an authentication or unlock code for a user.

Authentication codes are used during card activation; see the Activate card section in the Administration Guide for details. If an applicant makes several invalid attempts to enter an authentication code (as determined by the Maximum Allowed OTP Failures configuration option), quits out of the Activate Card workflow, or declines the terms and conditions, the code is canceled, and the applicant must ask an administrator to generate another code.

If a cardholder enters their PIN incorrectly too many times, the card is locked. An administrator can generate an unlock code using this workflow. The cardholder can then unlock the card: see section 5.10.3, Resetting your own PIN.

Note: Codes do not expire; they are valid until they are used. Only one code of each type can be assigned to a card – new codes supersede old codes.

The Request Auth Code workflow is not assigned to any roles by default; you must make sure that you use the Edit Roles workflow to assign the workflow to any roles that you want to be able to issue codes.

To generate a code:

1. From the Cards category, select Request Auth Code.
2. Use the Find Person screen to find the user for whom you want to generate a code.
3. Select the person.

4. If the user has more than one card, select the card.

   The screen shows if the user has any existing unlock or authentication codes in the Existing Codes column. If you generate a code of the same type, the previous code is deactivated, and can no longer be used.

5. To generate an unlock code, click Unlock.

   An email message is sent to the user containing a code that allows them to unlock the card. See section 5.10.3, Resetting your own PIN for details.

6. To generate an authentication code, click Activate.

An email message is sent to the user containing a code that allows them to activate the card. See the Activating cards section in the Administration Guide for details.

5.10.9 Remote PIN Management utility for PIV cards

The MyID Card Utility allows you to carry out a remote unlock or change the PIN on cards that support PIV applets.

This utility has been developed with IDEMIA (PIV cards and ID-One PIV cards) and Gemplus PIV cards. You can also use the utility with Yubico devices, which support PIV features but are not PIV compliant. See the Smart Card Integration Guide for details of which cards support the utility.

The MyIDCardUtility.exe file is installed to the Utilities folder on the MyID application server. You can copy this utility manually to any client PC you want to be able to use the functionality.

To use the card utility:

1. Copy the MyIDCardUtility.exe file to the client PC.

2. In Windows Explorer, double-click the MyIDCardUtility.exe file.

   You can also set up a shortcut to run this utility.

   

3. If you are using multiple card readers, select the appropriate reader from the Select Card Reader drop-down list.

4. Click Read Card.

   The utility reads the card, and the card serial number appears.

5. Select one of the following options:

   • Change PIN
   • Remote Unlock Card

   To change the PIN:

   1. Click Change PIN.

   2. Click Next.

      

   3. Type the card's Existing PIN.
   4. Type the New PIN, and confirm the new PIN in the Confirm PIN box.

   5. Click Next.

      The card PIN is changed.

   To remote unlock the card:

   1. Click Remote Unlock Card.

   2. Click Next.

      

   3. Call the helpdesk and provide the Unlock Challenge.

   4. The helpdesk operator must then open MyID, go to the Unlock Credential workflow, and type the Unlock Challenge into the Challenge Code boxes before clicking Confirm.

      The helpdesk operator can then read out the unlocking code.

      See section 5.10.6, Unlocking a credential remotely for details of using the Unlock Credential workflow.

   5. Type the unlocking code from the helpdesk operator into the Unlock Code box.
   6. Type a New PIN and confirm the new PIN in the Confirm PIN box.

   7. Click Next.

      The card is unlocked, and is given a new PIN.

MyID version 11.3.0 product documentation, August 15, 2019 – Copyright © 2001-2019 Intercede Limited. All rights reserved.