3.4 Logon using codes

You can set up MyID to send an email message containing a one-time logon code to a cardholder. The cardholder can then use this code to authenticate to MyID and complete the operation; for example, to collect their card, request a replacement card, or collect soft certificates.

Note: If the cardholder makes several failed attempts to enter the logon code, as a security measure, they are prevented from making any further attempts. To allow the cardholder to proceed, you must use the Job Management workflow to cancel the original request, then request another credential for the cardholder. MyID will then send a new logon code.

3.4.1 Setting up logon codes

To set up MyID to send logon codes:

  1. From the Configuration category, select Security Settings.

  2. On the Logon tab, set the following options:

    • Allow Logon Codes – set this option to Yes to allow MyID to use logon codes. If you set this option to No, MyID will send logon codes if the Generate Logon Code option in the credential profile is set, but you will be unable to use the codes to log on.
    • Simple Logon Code Complexity – the complexity used when you select Simple from the Generate Logon Code drop-down list in the credential profile. By default, this is 12-12N.
    • Complex Logon Code Complexity – the complexity used when you select Complex from the Generate Logon Code drop-down list in the credential profile. By default, this is 12-12ULSN.

      Complexity settings (both simple and complex) take the format mm-nnULSN.

      mm = min length (must be greater than 0)

      nn = max length (greater or equal to the min length, with a max of 99)

      U/u = must/may contain upper case (optional)

      L/l = must/may contain lower case (optional)

      S/s = must/may contain symbols (optional)

      N/n = must/may contain numbers (optional)

      You must specify a min length, max length, and at least one of U, L, S, or N.

      Note: If you have set the Case sensitive security questions configuration option (on the PINs page of the Security Settings workflow) to No, make sure that you have not included L or l (must/may contain lower case letters) in your complexity format; otherwise, you will be unable to use the generated codes. Use a code like 12-12USN instead.

    • Maximum allowed security question failures – Specify the maximum number of failed attempts a user can make when attempting to enter a logon code or answer a security question.

      Note: If you set this option to 0, the default value of 3 is used and the user's account is locked when three attempts have been made without success. If you want to provide unlimited attempts to enter logon codes, you can set the Action on maximum security question failures option (on the PINs page of the Security Settings workflow) to None.

  3. On the Logon Mechanisms tab, set the following option:

    • Password Logon – set this option to Yes.
  4. Click Save changes.
  5. In the Edit Roles workflow, make sure the user's role has the Password logon mechanism assigned.

    See section 4.1.5, Assigning logon mechanisms for details of using the Edit Roles workflow.

  6. From the Configuration category, select Credential Profiles.
  7. Select the profile you want to edit, and click Modify.
  8. Select the Issuance Settings section.
  9. For Generate Logon Code, select one of the following:

    • None – no logon code is generated.
    • Simple – the logon code is generated using the complexity rules as defined by the Simple Logon Code Complexity configuration option.
    • Complex – the logon code is generated using the complexity rules as defined by the Complex Logon Code Complexity configuration option.

      Credentials using the profile will send an email message containing a logon code.

  10. Click Next and complete the workflow.

3.4.2 Using logon codes

In the Self-Service Kiosk and the Self-Service App, the cardholder is prompted for the logon code automatically.

In MyID Desktop, if a user has been provided with a logon code, you must start the program using the /lc command-line option. MyID Desktop requests your username and logon code:

You must also specify a workflow using the /opid command-line option to determine the workflow that starts after the user has logged on.

For example:

MyIDDesktop.exe /lc /opid:216

You can include a hyperlink in the email notification. Use the Email Templates workflow to modify the Job Logon Code email template, and include a link to the Desktop application similar to the following:

myiddsk:///lc+/opid:216

Workflow IDs you may want to include for the /opid parameter include:

Note: Make sure you set email messages to be sent in HTML format (see section 13.1.2, Email format for details) and use HTML formatting in your email message; for example:

<a href="myiddsk:///lc+/opid:216">Collect My Card</a>

Note: When logging on with the /lc option, the Set Security Phrase at Logon setting is not enforced – users are not required to set their security phrases, even if they do not have the minimum number required. See section 3.3.3, Setting the number of security phrases required to authenticate for details of the Set Security Phrase at Logon setting.