5.10 Unlocking cards and resetting PINs

If users type an incorrect PIN several times, their card is locked – this means they cannot use it to log in. Depending on how your system is set up, cardholders may be able to unlock the card themselves, or they may need to call a helpdesk.

5.10.1 Resetting a card's PIN

You can use the Reset Card PIN workflow to change the PIN of another user's card. This workflow allows you to set a new PIN when the card's PIN has become locked; an administrator can specify the authentication methods that you can use to reset the PIN.

To reset the PIN of a card:

  1. From the Cards category, click Reset Card PIN.
  2. Insert the card you want to reset.

  3. Select the card, then click Next.

    The Person Details tab displays the details for the cardholder – this allows you to confirm that the card belongs to the correct user.

    You can now choose how to authenticate the user's identity.

    The authentication methods available depend on how your administrator has configured your system. See section 5.10.2, PIN reset authentication methods for details.

  4. Select the tab for the appropriate authentication method.

  5. Click Next.

    Note: If you selected the Card PIN authentication method, you must provide the current PIN as well as the new PIN.

  6. Type the new PIN and confirm it.
  7. Click Continue.

MyID resets the PIN on the card to the new value. Do not remove the card from the reader until the process is complete.

5.10.2 PIN reset authentication methods

You can configure which authentication methods are available in the Reset Card PIN workflow using the Edit Roles workflow. This allows you to select a different set of authentication methods for each role; for example, you may want only senior operators to be able to use the Operator Approval method, while all operators can use the Authentication Code method.

You can also configure MyID to skip the authentication step entirely.

To configure the PIN reset authentication methods:

  1. From the Configuration category, select Edit Roles.
  2. Under the Reset Card PIN option, select the following options:

  3. Click Save Changes.

5.10.3 Resetting your own PIN

You can use the Reset PIN option to change your own PIN at the logon screen. You can use this option to reset your PIN at any time, including when your card has been locked by entering the PIN incorrectly too many times.

To reset your PIN:

  1. At the logon screen, click Reset PIN.
  2. Complete the authentication requested.

    For example, provide your fingerprints.

    The authentication you provide depends on the setup of your credential profile. See section 5.10.5, Self-service PIN reset authentication for details.

  3. Provide your new PIN.

  4. Click Reset PIN.

5.10.4 Allowing self-service unlocking

You must have the Self-service Unlock option (on the Self-Service page of the Security Settings workflow) set to Yes to allow users to unlock their own cards.

For PIV systems, you also must configure the web service to allow self-service unlock. See the details of the AllowSelfUnlockForPIV option in the Web Service Architecture guide for details.

5.10.5 Self-service PIN reset authentication

Self-service card unlocking at the logon screen enforces flexible authentication requirements based on the credential profile.

When you unlock your card using the Reset PIN option, MyID checks the latest version of the credential profile for the Additional Authentication setting.

To allow biometric authentication when logging on to MyID to perform a PIN reset, you must set the following:

To allow authentication codes or security phrases to be used when logging on to MyID to perform a PIN reset, you must set the following:

5.10.6 Unlocking a credential remotely

Users may need to contact their helpdesk to unlock their credentials (for example, smart cards, mobile devices, VSCs). The helpdesk operator can use the Unlock Credential workflow to provide a code that unlocks the card.

If the user has a locked smart card, and is physically present so that you can insert the card into a card reader on the operator's machine, you can use Reset Card PIN instead – see section 5.10.1, Resetting a card's PIN.

Note: Some smart card types do not support remote unlocking. See the Smart Card Integration Guide for details of those that do.

To unlock a card remotely:

  1. From the Cards category, click Unlock Credential.

  2. Enter the search criteria for the person who owns the credential you want to unlock, then click Search.

    See section 2.2.2, Entering search criteria for details of entering search criteria.

  3. From the list of matching records, select the person to search for any credentials belonging to them.

  4. Select the device you want to unlock.

    The Person Details tab displays the details for the cardholder – this allows you to confirm that the card belongs to the correct user.

    You can now choose how to authenticate the user's identity.

    The authentication methods available depend on how your administrator has configured your system. See section 5.10.7, Remote unlock authentication methods for details.

  5. Select the tab for the appropriate authentication method.

  6. Click Next.

  7. Ask the credential owner to read out the challenge code, and type it into the boxes provided.
  8. Click Generate Response.

  9. Read out the response code to the credential owner.
  10. Provide details of the operation – whether the unlock was successful, and any details you want to add.
  11. Click Next to complete the workflow.

5.10.7 Remote unlock authentication methods

You can configure which authentication methods are available in the Unlock Credential workflow using the Edit Roles workflow. This allows you to select a different set of authentication methods for each role; for example, you may want only senior operators to be able to use the Operator Approval method, while all operators can use the Authentication Code method.

You can also configure MyID to skip the authentication step entirely.

To set up authentication methods for unlocking:

  1. From the Configuration category, select Edit Roles.
  2. Under the Unlock Credential option, select the following options:

    Assign these options to the appropriate roles; for example, you may want users who have one role to use security questions, and users who have another role to use authentication codes.

  3. Click Save Changes.

5.10.8 Requesting an authentication code

The Request Auth Code workflow allows you to request an authentication or unlock code for a user.

Authentication codes are used during card activation; see the Activate card section in the Administration Guide for details. If an applicant makes several invalid attempts to enter an authentication code (as determined by the Maximum Allowed OTP Failures configuration option), quits out of the Activate Card workflow, or declines the terms and conditions, the code is canceled, and the applicant must ask an administrator to generate another code.

If a cardholder enters their PIN incorrectly too many times, the card is locked. An administrator can generate an unlock code using this workflow. The cardholder can then unlock the card: see section 5.10.3, Resetting your own PIN.

Note: Codes do not expire; they are valid until they are used. Only one code of each type can be assigned to a card – new codes supersede old codes.

The Request Auth Code workflow is not assigned to any roles by default; you must make sure that you use the Edit Roles workflow to assign the workflow to any roles that you want to be able to issue codes.

To generate a code:

  1. From the Cards category, select Request Auth Code.
  2. Use the Find Person screen to find the user for whom you want to generate a code.
  3. Select the person.
  4. If the user has more than one card, select the card.

    The screen shows if the user has any existing unlock or authentication codes in the Existing Codes column. If you generate a code of the same type, the previous code is deactivated, and can no longer be used.

  5. To generate an unlock code, click Unlock.

    An email message is sent to the user containing a code that allows them to unlock the card. See section 5.10.3, Resetting your own PIN for details.

  6. To generate an authentication code, click Activate.

An email message is sent to the user containing a code that allows them to activate the card. See the Activating cards section in the Administration Guide for details.

5.10.9 Remote PIN Management utility for PIV cards

The MyID Card Utility allows you to carry out a remote unlock or change the PIN on cards that support PIV applets.

This utility has been developed with IDEMIA (PIV cards and ID-One PIV cards) and Gemplus PIV cards. You can also use the utility with Yubico devices, which support PIV features but are not PIV compliant. See the Smart Card Integration Guide for details of which cards support the utility.

The MyIDCardUtility.exe file is installed to the Utilities folder on the MyID application server. You can copy this utility manually to any client PC you want to be able to use the functionality.

To use the card utility:

  1. Copy the MyIDCardUtility.exe file to the client PC.
  2. In Windows Explorer, double-click the MyIDCardUtility.exe file.

    You can also set up a shortcut to run this utility.

    card utility 1

  3. If you are using multiple card readers, select the appropriate reader from the Select Card Reader drop-down list.
  4. Click Read Card.

    The utility reads the card, and the card serial number appears.

  5. Select one of the following options:

    To change the PIN:

    1. Click Change PIN.
    2. Click Next.

      card utility 2

    3. Type the card's Existing PIN.
    4. Type the New PIN, and confirm the new PIN in the Confirm PIN box.
    5. Click Next.

      The card PIN is changed.

    To remote unlock the card:

    1. Click Remote Unlock Card.
    2. Click Next.

      card utility 3

    3. Call the helpdesk and provide the Unlock Challenge.
    4. The helpdesk operator must then open MyID, go to the Unlock Credential workflow, and type the Unlock Challenge into the Challenge Code boxes before clicking Confirm.

      The helpdesk operator can then read out the unlocking code.

      See section 5.10.6, Unlocking a credential remotely for details of using the Unlock Credential workflow.

    5. Type the unlocking code from the helpdesk operator into the Unlock Code box.
    6. Type a New PIN and confirm the new PIN in the Confirm PIN box.
    7. Click Next.

      The card is unlocked, and is given a new PIN.

 

MyID version 11.3.0 product documentation, August 15, 2019 – Copyright © 2001-2019 Intercede Limited. All rights reserved.