5.11 Sending a code to unlock a device

If a cardholder has locked their device, you can send an authentication code that can be used for unlocking the device and resetting the PIN.

The cardholder can provide the authentication code when using the Reset PIN option in the Self-Service App or the I want to reset my PIN option in the Self-Service Kiosk, or an operator can unlock the device using the Authentication Code tab of the Reset Card PIN or Unlock Credential workflows; see section 5.6, Resetting a device's PIN and section 5.9, Unlocking a device.

5.11.1 Configuring authentication codes for unlocking

  1. Set the configuration options:

    1. From the Configuration category, select Security Settings.

    2. On the PINs tab, set the following:

      • Auth Code Lifetime for Immediate Use – set this to the number of seconds for which a short lifetime authentication code is valid. To set short lifetime authentication codes for no expiry, set this value to 0. The default is 120 seconds.

      • Auth code lifetime – set this to the number of seconds for which a long lifetime authentication code is valid. To set long lifetime authentication codes for no expiry, set this value to 0. The default is 720 hours.

    3. Click Save changes.

  2. In the Edit Roles workflow, make sure the operator has the Send Auth Code for PIN Unlock option selected for their role.

  3. From the Configuration category, select Email Templates.

    The methods of delivery for the unlock code are determined by the enabled status of the following email templates:

    • Unlock Credential Code Email – used to send an authentication code in an email message to the person's configured email address. By default, this delivery method is enabled.

    • Unlock Credential Code SMS – used to send an authentication code in an SMS message to the person's configured cell phone number. By default, this delivery method is disabled.

    Make sure the delivery methods you want to use are enabled.

    Important: You can edit the content of the email templates, and enable or disable them, but do not change the Transport option, or the notifications will no longer work correctly.

  4. Set up an SMTP server.

    See the Setting up email section in the Advanced Configuration Guide for details.

  5. If you are using SMS to send the authentication codes, configure your system for SMS notifications:

    1. From the Configuration category, select Operation Settings.

    2. On the General tab, set the following:

      • SMS email notifications – set to Yes.

      • SMS gateway URL for notifications – set to the URL of your SMS gateway.

        By default, SMS messages are sent to through an email to SMS gateway, in the format <cellnumber>@<gateway>, where:

        • <cellnumber> – the cell phone number from the person's record.

        • <gateway> – the URL from the SMS gateway URL for notifications option.

        For example: [email protected]

        If this is not suitable, you can customize the sp_CustomPrepareSMS stored procedure in the MyID database.

    3. Click Save changes.

  6. Recycle the web service app pool:

    1. On the MyID web server, in Internet Information Services (IIS) Manager, select Application Pools.
    2. Right-click the myid.web.oauth2.pool application pool, then from the pop-up menu click Recycle.

    This ensures that the MyID Operator Client picks up the configuration changes.

5.11.2 Sending an unlock code

To send an unlock code for a device:

  1. Search for a device, and view its details.

    See section 5.1, Searching for a device.

    Alternatively, insert the device into a reader.

    See section 5.2, Reading a device.

    You can also view a device from any form that contains a link to the device.

    For example:

    • Click the item in the list on the DEVICES tab of the View Person form.
    • Click the link icon on the Device Serial Number field of the View Request form.

  2. Click the Send Auth Code option in the button bar at the bottom of the screen.

    You may have to click the ... option to see any additional available actions.

    The Send Auth Code option appears only if the device is in a suitable state for unlocking; it must be active and issued, and a contact card, Identity Agent, or Microsoft VSC. If the device requires activation, this option sends an authentication code instead (see section 5.10, Sending an authentication code to activate a device). You must also make sure that you have the Send Auth Code for PIN Unlock option selected for your role in the Edit Roles workflow.

    The Send Unlock Code screen appears.

  3. Type any Notes you want to store in the audit trail about the operation.

  4. From the Delivery Mechanism drop-down list, select how you want to send the code.

    You can choose from:

    • Unlock Code Email – sends the code as an email to the person's configured email address. This option is available if the Unlock Credential Code Email template is enabled in the Email Templates workflow.

    • Unlock Code SMS – sends the code as a text message to the person's configured cell phone number. This option is available if the Unlock Credential Code SMS template is enabled in the Email Templates workflow.

  5. From the Lifetime drop-down list, select how long you want the code to be valid.

    The options here are determined by the values saved in the Auth Code Lifetime for Immediate Use and Auth code lifetime configuration options; by default, the options are:

    • Expires 30 days from request – based on the default Auth code lifetime setting of 720 hours.

    • Expires 2 minutes from request – based on the default Auth Code Lifetime for Immediate Use setting of 120 seconds.

  6. Click Save.

    MyID sends the authentication code to the person, who can then use it to reset their device PIN, either using the Reset PIN option in the Self-Service App or the I want to reset my PIN option in the Self-Service Kiosk, or with the assistance of an operator using the Reset Card PIN or Unlock Credential workflow; see section 5.6, Resetting a device's PIN and section 5.9, Unlocking a device.