31.4 PINs page (Security Settings)

Setting

Action on maximum security question failures

Default value

Lock security phrases

Description

Determines what happens when a user has reached the Maximum allowed security question failures – see section 31.1, Logon page (Security Settings). This can be one of the following:

Lock security phrases – The user's account is locked.

None – The user can retry as many times as they like.

Further information

 

 

Setting

Ask Security Questions for Self Service Card Unlock

Default value

No

Description

Whether the holder’s security phrase is used when unlocking a card.

Further information

See the Self-service PIN reset authentication section in the Operator's Guide.

 

Setting

Case sensitive security questions

Default value

Yes

Description

Whether the case of responses to security phrases or logon codes is checked when authenticating.

Further information

Important: See section 3.3.2, Changing rules for security phrases.

For logon codes, if you set this option to No, make sure that you have not included L or l (must/may contain lower case letters) in your logon code complexity format; otherwise, you will be unable to use the generated codes. Use a code like 12-12USN instead.

 

Setting

Default max PIN length

Default value

12

Description

The default maximum PIN length. You can override this setting in the credential profile using the Maximum PIN length option.

Further information

See section 11.3.1, Credential profile options.

 

Setting

FIDO Immediate Collect Timeout

Default value

120

Description

The number of seconds before timeout when performing immediate FIDO registration through the Self-Service Request Portal.

Further information

See the Registering FIDO authenticators using the Self-Service Request Portal section in the FIDO Authenticator Integration Guide.

 

Setting

Lock Card on Issuance

Default value

Ask

Description

Whether the PIN assigned during issue is locked. If so, the holder must enter a new PIN on first use.

Further information

See section 11.3.1, Credential profile options.

 

Setting

Number of security questions for operator authentication

Default value

1

Description

The number of security phrases the user is required to provide when an operator asks them; for example, during the Authenticate Person or Unlock Credential workflows.

Further information

See section 3.3.3, Setting the number of security phrases required to authenticate.

 

Setting

Number of security questions for self-service authentication

Default value

2

Description

The number of security phrases users are required to provide when authenticating themselves.

Further information

See section 3.3.3, Setting the number of security phrases required to authenticate.

 

Setting

Number of security questions to register

Default value

2

Description

The number of security phrases to enroll for a user in the Change Security Phrases or Change My Security Phrases workflows.

Further information

See section 3.3.3, Setting the number of security phrases required to authenticate.

 

Setting

Offline Unlock Method

Default value

Challenge

Description

Challenge – a dialogue between the holder and the helpdesk, passing challenges and responses to identify the holder and the device.

Witness – another holder must witness the request.

None – offline unlocking not possible.

Further information

Used for Giesecke & Devrient cards.

 

Setting

PIN Timeout

Default value

180

Description

Period of inactivity (in minutes) before a PIN must be re-entered. This may be overruled by the device’s own timeout period, if shorter.

Further information

 

 

Setting

Prevent version 1 password enrollment

Default value

No

Description

If you set this option to Yes, and the Use Security Phrase algorithm version 2 option is set to Ask, security phrases are stored only with SHA256 hashes. This allows you to force a transition to SHA256 security phrases and gradually remove any SHA1 stored answers.

Further information

 

 

Setting

Reload Device Profile

Default value

Yes

Description

No longer used. Previously, this setting forced MyID to reload the device profile onto the card during issuance.

Further information

Appears only on upgraded systems.

 

Setting

Remote Unlock requires an Authentication Code prompt

Default value

No

Description

No longer required. Previously, ff set to Yes, the user had to provide an authentication code to remotely unlock a card or device.

Further information

Appears only on upgraded systems.

See the Unlocking a credential remotely section in the Operator's Guide for details of configuring MyID for remote unlock.

 

Setting

Security Phrase allowable characters

Default value

 

Description

The characters accepted in a security phrase. List individual characters or ranges. The only permissible ranges are a-z (all lowercase letters), A-Z (all uppercase letters) and 0-9 (all numbers).

For example: a-zA-Z!%&

The default (blank) means no restrictions.

Further information

Note: a-z and A-Z do not include accented characters. If required, these must be specified individually.

 

Setting

Security Phrase complexity format

Default value

 

Description

Defines the rules for allowed security phrases. Leave blank to allow any format.

Further information

See section 3.3.1, Setting rules for security phrases for detailed instructions.

 

Setting

Security Phrase minimum length

Default value

0

Description

The minimum number of characters accepted for a security phrase.

Set to 0 to allow any security phrases with one or more characters.

Further information

 

 

Setting

Security Phrase repeat character limit

Default value

0

Description

The maximum number of repeated characters accepted in security phrases. 0 allows any number of repeated characters.

Further information

 

 

Setting

Security Phrase sequential character limit

Default value

0

Description

The maximum number of sequential characters – either numbers (1, 2, 3) or letters (a, b, c) – in security phrases. 0 allows any number of sequential characters.

Further information

 

 

Setting

Security Phrase whitespace removal

Default value

No

Description

Set to Yes to remove any spaces from security phrases before storing or checking the security phrase.

Further information

Important: See section 3.3.2, Changing rules for security phrases.

 

Setting

Set GlobalPlatform Card Status

Default value

No

Description

Whether MyID can set the GlobalPlatform status for a device.

When you use deferred activation, MyID must be able to set the card status from SECURED to LOCKED. If the card is shipped with the status SECURED, no further action is required. If the card is shipped with the status OP_READY or INITIALIZED, for example, you must set this option to Yes to allow MyID to change the card status to SECURED before it sets the status to LOCKED for deferred activation.

Note: You must also make sure that you set up customer GlobalPlatform keys for your cards. The status change from OP_READY or INITIALIZED to SECURED occurs when MyID sets the customer keys for a card.

See the Smart Card Integration Guide for whether you need to set this option.

Further information

 

 

Setting

Show Generated PINs

Default value

Yes

Description

Whether the PIN for a device (when this is a random or server-generated PIN) should be displayed when the device is issued.

Further information

Only the Issue Card workflow can display generated PINs. Other issuance workflows will not display the user PIN that has been generated.

 

Setting

Transport PIN

Default value

12549856

Description

Default PIN for canceled cards. If you are using on-device PIN policies, you must set the transport PIN to match the PIN policy in the card properties file.

Further information

 

 

Setting

Use logon name for server PIN generation

Default value

No

Description

You can use the user's logon name as the diversification data for PIN generation; this ensures that the user has the same PIN for all of their devices.

Further information

See section 9.3, EdeficePinGenerator PIN generation algorithm for details.

 

Setting

Use PIN policy settings in random server PIN generation

Default value

No

Description

When set to No, the random PIN generator does not take into account the PIN policy determined by the credential profile.

When set to Yes, the random PIN generator takes into account the PIN policy determined by the credential profile.

Further information

See section 9, PIN generation for details.

 

Setting

Use Security Phrase algorithm version 2

Default value

Ask

Description

If you are upgrading from a previous system, and this option was previously set to No, this is set to Yes by the installer.

This option is used to configure MyID to set security phrases to use SHA256 hashing.

Further information

See the Upgrading security phrase security in the Installation and Configuration Guide for details of upgrading the hashed security phrase answers stored in the MyID database.