5.10 Unlocking cards and resetting PINs

If users type an incorrect PIN several times, their card is locked – this means they cannot use it to log in. Depending on how your system is set up, cardholders may be able to unlock the card themselves, or they may need to call a helpdesk.

5.10.1 Resetting a card's PIN

You can use the Reset Card PIN workflow to change the PIN of another user's card. This workflow allows you to set a new PIN when the card's PIN has become locked; an administrator can specify the authentication methods that you can use to reset the PIN.

To reset the PIN of a card:

1. From the Cards category, click Reset Card PIN.

2. Insert the card you want to reset.

   

3. Select the card, then click Next.

   

   The Person Details tab displays the details for the cardholder – this allows you to confirm that the card belongs to the correct user.

   You can now choose how to authenticate the user's identity.

   The authentication methods available depend on how your administrator has configured your system. See section 5.10.2, PIN reset authentication methods for details.

4. Select the tab for the appropriate authentication method.

   • Card PIN – select this option if the user is present, knows their existing PIN, and the PIN on the card has not been locked. On the Enter New PIN stage after you click Next, you will provide the current PIN as well as the new PIN.

   • Authentication Code – select this option if the user has an authentication code. Type the code that has been provided in the Authentication Code box.

     See section 5.10.8, Requesting an authentication code for details.

   • Security Questions – select this option to provide answers to a selection of the user's security questions.

     See the Setting the number of security phrases required to authenticate section in the Administration Guide for details of configuring how many security phrases are required.

   • Identity Documents – select this option to record the details of the identity documents (for example, passport, driver's license) that the user has presented to you.

     Note: The list of available documents is determined by the Authenticate Person Document1 and Authenticate Person Document2 lists. To edit these lists, use the List Editor. See the Changing list entries section in the Administration Guide for details.

   • Operator Approval – select this option to record your observations and your reasons for accepting the user's identity.
   • Reject Authentication – select this option to record your observations and your reasons for not accepting the user's identity; you cannot then reset the card's PIN.

5. Click Next.

   

   Note: If you selected the Card PIN authentication method, you must provide the current PIN as well as the new PIN.

6. Type the new PIN and confirm it.
7. Click Continue.

MyID resets the PIN on the card to the new value. Do not remove the card from the reader until the process is complete.

5.10.2 PIN reset authentication methods

You can configure which authentication methods are available in the Reset Card PIN workflow using the Edit Roles workflow. This allows you to select a different set of authentication methods for each role; for example, you may want only senior operators to be able to use the Operator Approval method, while all operators can use the Authentication Code method.

You can also configure MyID to skip the authentication step entirely.

To configure the PIN reset authentication methods:

1. From the Configuration category, select Edit Roles.

2. Under the Reset Card PIN option, select the following options:

   • Identity Documents – select this option to allow the operator to record the details of the documents the user presents (for example, passport, driver's license).

     Note: The list of available documents is determined by the Authenticate Person Document1 and Authenticate Person Document2 lists. To edit these lists, use the List Editor. See the Changing list entries section in the Administration Guide for details..

   • Operator Approval – select this option to allow the operator to confirm the user's identity without further evidence.
   • Security Questions – select this option to allow authentication using answers to the user's stored security questions.
   • Reject Authentication – select this option to allow the operator to reject the authentication for the user.
   • Card PIN – select this option to allow authentication using the current PIN.
   • Authentication Code – select this option to allow authentication codes.
   • Bypass Authentication – select this option to skip the authentication stage on the Reset Card PIN workflow. Do not select any other authentication methods in conjunction with this option.
3. Click Save Changes.

5.10.3 Resetting your own PIN

You can use the Reset PIN option to change your own PIN at the logon screen. You can use this option to reset your PIN at any time, including when your card has been locked by entering the PIN incorrectly too many times.

To reset your PIN:

1. At the logon screen, click Reset PIN.

2. Complete the authentication requested.

   For example, provide your fingerprints.

   The authentication you provide depends on the setup of your credential profile. See section 5.10.5, Self-service PIN reset authentication for details.

3. Provide your new PIN.

   

4. Click Reset PIN.

5.10.4 Allowing self-service unlocking

You must have the Self-service Unlock option (on the Self-Service page of the Security Settings workflow) set to Yes to allow users to unlock their own cards.

5.10.5 Self-service PIN reset authentication

Self-service card unlocking at the logon screen enforces flexible authentication requirements based on the credential profile.

See the Self-Service Unlock Authentication section in the Administration Guide for details.

When you unlock your card using the Reset PIN option, MyID checks the latest version of the credential profile for the Self-Service Unlock Authentication setting.

Note: The latest version of the credential profile is always used. If you change the self-service authentication settings, you do not have to update existing issued smart cards.

• If the Credential owners must authenticate using one of the methods below in the order shown is not set:

  • If the Ask Security Questions for Self Service Card Unlock configuration option (on the PINs page of the Security Settings workflow) is set, the user can provide their security phrases to unlock their card.

• If the Credential owners must authenticate using one of the methods below in the order shown is set:

  • The authentication methods listed in the credential profile are presented to the cardholder in order.
  • When the user is presented with a method of authentication, they can decline the option (for example, when presented with a smart card authentication screen, they can click the "I cannot authenticate with my device" option) and proceed to the next available logon mechanism.
  • Windows logon is always attempted first; if Windows authentication is successful, the user starts the action; if it is unsuccessful, the user is presented with the next logon mechanism in the list.

Allowing authentication codes and security phrases

To allow authentication codes or security phrases to be used when logging on to MyID to perform a PIN reset, you must set the following:

• In the Security Settings workflow, on the Logon Mechanisms tab, set the Password Logon option.
• In the Edit Roles workflow, on the Logon Methods screen, select Password as a logon mechanism for the roles you want to be able to use authentication codes or security phrases to perform a PIN reset.
• If you want to allow password or authentication code logon to MyID for the purpose of PIN resets, but not for general logon, you can prevent password logon for cases where the user does not also have their card present; in the Security Settings workflow, on the Logon tab, set the Prevent Direct Password Logon option to Yes.

5.10.6 Unlocking a credential remotely

Users may need to contact their helpdesk to unlock their credentials (for example, smart cards, mobile devices, VSCs). The helpdesk operator can use the Unlock Credential workflow to provide a code that unlocks the card.

If the user has a locked smart card, and is physically present so that you can insert the card into a card reader on the operator's machine, you can use Reset Card PIN instead – see section 5.10.1, Resetting a card's PIN.

Note: Some smart card types do not support remote unlocking. See the Smart Card Integration Guide for details of those that do.

• IKB-183 –MyID does not check expiry dates on identity documents

  In the Unlock Credential workflow, MyID does not check the expiry date of any identity documents you provide to confirm the card holder's identity. If your organization's procedures require this check. you must verify the expiry date manually before proceeding.

To unlock a card remotely:

1. From the Cards category, click Unlock Credential.

   

2. Enter the search criteria for the person who owns the credential you want to unlock, then click Search.

   See section 2.2.2, Entering search criteria for details of entering search criteria.

3. From the list of matching records, select the person to search for any credentials belonging to them.

   

4. Select the device you want to unlock.

   

   The Person Details tab displays the details for the cardholder – this allows you to confirm that the card belongs to the correct user.

   You can now choose how to authenticate the user's identity.

   The authentication methods available depend on how your administrator has configured your system. See section 5.10.7, Remote unlock authentication methods for details.

5. Select the tab for the appropriate authentication method.

   • Authentication Code – select this option if the user has an authentication code. Type the code that has been provided in the Authentication Code box.

     See section 5.10.8, Requesting an authentication code for details.

   • Security Questions – select this option to provide answers to a selection of the user's security questions.

     See the Setting the number of security phrases required to authenticate section in the Administration Guide for details of configuring how many security phrases are required.

   • Identity Documents – select this option to record the details of the identity documents (for example, passport, driver's license) that the user has presented to you.

     Note: The list of available documents is determined by the Authenticate Person Document1 and Authenticate Person Document2 lists. To edit these lists, use the List Editor. See the Changing list entries section in the Administration Guide for details.

   • Operator Approval – select this option to record your observations and your reasons for accepting the user's identity.
   • Reject Authentication – select this option to record your observations and your reasons for not accepting the user's identity; you cannot then reset the card's PIN.

6. Click Next.

   

7. Ask the credential owner to read out the challenge code, and type it into the boxes provided.

8. Click Generate Response.

   

9. Read out the response code to the credential owner.
10. Provide details of the operation – whether the unlock was successful, and any details you want to add.
11. Click Next to complete the workflow.

5.10.7 Remote unlock authentication methods

You can configure which authentication methods are available in the Unlock Credential workflow using the Edit Roles workflow. This allows you to select a different set of authentication methods for each role; for example, you may want only senior operators to be able to use the Operator Approval method, while all operators can use the Authentication Code method.

You can also configure MyID to skip the authentication step entirely.

To set up authentication methods for unlocking:

1. From the Configuration category, select Edit Roles.

2. Under the Unlock Credential option, select the following options:

   • Identity Documents – select this option to allow the operator to record the details of the documents the user presents (for example, passport, driver's license).

     Note: The list of available documents is determined by the Authenticate Person Document1 and Authenticate Person Document2 lists. To edit these lists, use the List EditorSee the Changing list entries section in the Administration Guide for details.

   • Operator Approval – select this option to allow the operator to confirm the user's identity without further evidence.
   • Security Questions – select this option to allow authentication using answers to the user's stored security questions.
   • Reject Authentication – select this option to allow the operator to reject the authentication for the user.
   • Authentication Code – select this option to allow authentication codes.
   • Bypass Authentication – select this option to skip the authentication stage on the Unlock Credential workflow. Do not select any other authentication methods in conjunction with this option.

   Assign these options to the appropriate roles; for example, you may want users who have one role to use security questions, and users who have another role to use authentication codes.

3. Click Save Changes.

5.10.8 Requesting an authentication code

The Request Auth Code workflow allows you to request an authentication or unlock code for a user.

Authentication codes are used during card activation; see the Activating cards section in the Administration Guide for details. If an applicant makes several invalid attempts to enter an authentication code (as determined by the Maximum Allowed OTP Failures configuration option), quits out of the Activate Card workflow, or declines the terms and conditions, the code is canceled, and the applicant must ask an administrator to generate another code.

If a cardholder enters their PIN incorrectly too many times, the card is locked. An administrator can generate an unlock code using this workflow. The cardholder can then unlock the card: see section 5.10.3, Resetting your own PIN.

Note: Codes do not expire; they are valid until they are used. Only one code of each type can be assigned to a card – new codes supersede old codes.

The Request Auth Code workflow is not assigned to any roles by default; you must make sure that you use the Edit Roles workflow to assign the workflow to any roles that you want to be able to issue codes.

To generate a code:

1. From the Cards category, select Request Auth Code.
2. Use the Find Person screen to find the user for whom you want to generate a code.
3. Select the person.

4. If the user has more than one card, select the card.

   The screen shows if the user has any existing unlock or authentication codes in the Existing Codes column. If you generate a code of the same type, the previous code is deactivated, and can no longer be used.

5. To generate an unlock code, click Unlock.

   An email message is sent to the user containing a code that allows them to unlock the card. See section 5.10.3, Resetting your own PIN for details.

6. To generate an authentication code, click Activate.

An email message is sent to the user containing a code that allows them to activate the card. see the Activating cards section in the Administration Guide for details.

5.10.9 Remote PIN Management utility for PIV cards

The MyID Card Utility allows you to carry out a remote unlock or change the PIN on cards that support PIV applets.

This utility has been developed with IDEMIA (PIV cards and ID-One PIV cards) and Gemplus PIV cards. You can also use the utility with Yubico devices, which support PIV features but are not PIV compliant.

The MyIDCardUtility.exe file is installed to the Utilities folder on the MyID application server. You can copy this utility manually to any client PC you want to be able to use the functionality.

To use the card utility:

1. Copy the MyIDCardUtility.exe file to the client PC.

2. In Windows Explorer, double-click the MyIDCardUtility.exe file.

   You can also set up a shortcut to run this utility.

   

3. If you are using multiple card readers, select the appropriate reader from the Select Card Reader drop-down list.

4. Click Read Card.

   The utility reads the card, and the card serial number appears.

5. Select one of the following options:

   • Change PIN
   • Remote Unlock Card

   To change the PIN:

   1. Click Change PIN.

   2. Click Next.

      

   3. Type the card's Existing PIN.

   4. Type the New PIN, and confirm the new PIN in the Confirm PIN box.

      Note: The PIN must be the same length or longer than the current PIN.

   5. Click Next.

      The card PIN is changed.

   To remote unlock the card:

   1. Click Remote Unlock Card.

   2. Click Next.

      

   3. Call the helpdesk and provide the Unlock Challenge.

   4. The helpdesk operator must then open MyID, go to the Unlock Credential workflow, and type the Unlock Challenge into the Challenge Code boxes before clicking Confirm.

      The helpdesk operator can then read out the unlocking code.

      See section 5.10.6, Unlocking a credential remotely for details of using the Unlock Credential workflow.

   5. Type the unlocking code from the helpdesk operator into the Unlock Code box.
   6. Type a New PIN and confirm the new PIN in the Confirm PIN box.

   7. Click Next.

      The card is unlocked, and is given a new PIN.

5.10.10 Unlock credential provider

MyID provides an unlock credential provider that allows a user to unlock their PIV card from the Windows logon screen. This provides the same functionality as the MyID Card Utility for remotely unlocking cards (see section 5.10.9, Remote PIN Management utility for PIV cards for details).

For details of installing and configuring the unlock credential provider, see the Installing the unlock credential provider section in the Installation and Configuration Guide.

To unlock a PIV card:

1. At the Windows logon screen, insert your locked PIV card.

2. Select the Unlock Credential Provider tile.

   Note: The unlock credential provider displays a tile for each suitable logon certificate on the card; for example, a PIV card has both PIV Authentication and Card Authentication certificates, so the unlock credential provider displays two tiles. Click on any of the provided tiles to continue.

   The unlock credential provider generates and displays a random challenge.

3. Call the helpdesk and provide the Challenge code.

4. The helpdesk operator must then open MyID, go to the Unlock Credential workflow, and type the Unlock Challenge into the Challenge Code boxes before clicking Confirm.

   The helpdesk operator can then read out the unlocking code.

   See section 5.10.6, Unlocking a credential remotely for details of using the Unlock Credential workflow.

5. Type the unlocking code from the helpdesk operator into the Response box.

6. Type a new PIN and confirm the new PIN in the PIN Check box.

   The card is unlocked and given a new PIN, and the user is logged on to Windows.

Note: The next time you log on to Windows after unlocking your card using the unlock credential provider, the Unlock Credential Provider tile is selected on the logon screen; this is because Windows remembers the last option you selected on this screen. Click your preferred sign-in option and continue.

5.10.11 Known issues

• IKB-283 – Error if an incorrect certificate is selected for PIN unlock

  If two or more Windows logon certificates are present for the same identity on a single device, an error can occur after successfully completing setting a new PIN for the device if the following sequence has occurred.

  • The user has initially logged on with a certificate on a device.
  • The user locks the PC.
  • The user attempts to unlock the computer but locks the PIN for the device by providing the incorrect PIN too many times.
  • The user selects a different logon certificate on the same device.
  • The user completes the unlock process and sets a new PIN.

  A Windows message is displayed:

  The user name or password is incorrect

  In this scenario, the PIN is successfully changed, but the user must re-select the certificate and enter their PIN to logon to Windows again.