31.4 PINs page (Security Settings)
Setting |
|
Default value |
Lock security phrases |
Description |
Determines what happens when a user has reached the Maximum allowed security question failures – see section 31.1, Logon page (Security Settings). This can be one of the following: Lock security phrases – The user's account is locked. None – The user can retry as many times as they like. |
Further information |
|
Setting |
|
Default value |
No |
Description |
Whether the holder’s security phrase is used when unlocking a card. |
Further information |
See the Self-service PIN reset authentication section in the Operator's Guide. |
Setting |
|
Default value |
Yes |
Description |
Whether the case of responses to security phrases or logon codes is checked when authenticating. |
Further information |
Important: See section 3.3.2, Changing rules for security phrases. For logon codes, if you set this option to No, make sure that you have not included L or l (must/may contain lower case letters) in your logon code complexity format; otherwise, you will be unable to use the generated codes. Use a code like 12-12USN instead. |
Setting |
|
Default value |
12 |
Description |
The default maximum PIN length. You can override this setting in the credential profile using the Maximum PIN length option. |
Further information |
Setting |
|
Default value |
120 |
Description |
The number of seconds before timeout when performing immediate FIDO registration through the Self-Service Request Portal. |
Further information |
See the Registering FIDO authenticators using the Self-Service Request Portal section in the FIDO Authenticator Integration Guide. |
Setting |
|
Default value |
Ask |
Description |
Whether the PIN assigned during issue is locked. If so, the holder must enter a new PIN on first use. |
Further information |
Setting |
|
Default value |
1 |
Description |
The number of security phrases the user is required to provide when an operator asks them; for example, during the Authenticate Person or Unlock Credential workflows. |
Further information |
See section 3.3.3, Setting the number of security phrases required to authenticate. |
Setting |
Number of security questions for self-service authentication |
Default value |
2 |
Description |
The number of security phrases users are required to provide when authenticating themselves. |
Further information |
See section 3.3.3, Setting the number of security phrases required to authenticate. |
Setting |
|
Default value |
2 |
Description |
The number of security phrases to enroll for a user in the Change Security Phrases or Change My Security Phrases workflows. |
Further information |
See section 3.3.3, Setting the number of security phrases required to authenticate. |
Setting |
|
Default value |
Challenge |
Description |
Challenge – a dialogue between the holder and the helpdesk, passing challenges and responses to identify the holder and the device. Witness – another holder must witness the request. None – offline unlocking not possible. |
Further information |
Used for Giesecke & Devrient cards. |
Setting |
|
Default value |
180 |
Description |
Period of inactivity (in minutes) before a PIN must be re-entered. This may be overruled by the device’s own timeout period, if shorter. |
Further information |
|
Setting |
|
Default value |
No |
Description |
If you set this option to Yes, and the Use Security Phrase algorithm version 2 option is set to Ask, security phrases are stored only with SHA256 hashes. This allows you to force a transition to SHA256 security phrases and gradually remove any SHA1 stored answers. |
Further information |
|
Setting |
|
Default value |
Yes |
Description |
No longer used. Previously, this setting forced MyID to reload the device profile onto the card during issuance. |
Further information |
Appears only on upgraded systems. |
Setting |
|
Default value |
No |
Description |
No longer required. Previously, ff set to Yes, the user had to provide an authentication code to remotely unlock a card or device. |
Further information |
Appears only on upgraded systems. See the Unlocking a credential remotely section in the Operator's Guide for details of configuring MyID for remote unlock. |
Setting |
|
Default value |
|
Description |
The characters accepted in a security phrase. List individual characters or ranges. The only permissible ranges are a-z (all lowercase letters), A-Z (all uppercase letters) and 0-9 (all numbers). For example: a-zA-Z!%& The default (blank) means no restrictions. |
Further information |
Note: a-z and A-Z do not include accented characters. If required, these must be specified individually. |
Setting |
|
Default value |
|
Description |
Defines the rules for allowed security phrases. Leave blank to allow any format. |
Further information |
See section 3.3.1, Setting rules for security phrases for detailed instructions. |
Setting |
|
Default value |
0 |
Description |
The minimum number of characters accepted for a security phrase. Set to 0 to allow any security phrases with one or more characters. |
Further information |
|
Setting |
|
Default value |
0 |
Description |
The maximum number of repeated characters accepted in security phrases. 0 allows any number of repeated characters. |
Further information |
|
Setting |
|
Default value |
0 |
Description |
The maximum number of sequential characters – either numbers (1, 2, 3) or letters (a, b, c) – in security phrases. 0 allows any number of sequential characters. |
Further information |
|
Setting |
|
Default value |
No |
Description |
Set to Yes to remove any spaces from security phrases before storing or checking the security phrase. |
Further information |
Important: See section 3.3.2, Changing rules for security phrases. |
Setting |
|
Default value |
No |
Description |
Whether MyID can set the GlobalPlatform status for a device. When you use deferred activation, MyID must be able to set the card status from SECURED to LOCKED. If the card is shipped with the status SECURED, no further action is required. If the card is shipped with the status OP_READY or INITIALIZED, for example, you must set this option to Yes to allow MyID to change the card status to SECURED before it sets the status to LOCKED for deferred activation. Note: You must also make sure that you set up customer GlobalPlatform keys for your cards. The status change from OP_READY or INITIALIZED to SECURED occurs when MyID sets the customer keys for a card. See the Smart Card Integration Guide for whether you need to set this option. |
Further information |
|
Setting |
|
Default value |
Yes |
Description |
Whether the PIN for a device (when this is a random or server-generated PIN) should be displayed when the device is issued. |
Further information |
Only the Issue Card workflow can display generated PINs. Other issuance workflows will not display the user PIN that has been generated. |
Setting |
|
Default value |
12549856 |
Description |
Default PIN for canceled cards. If you are using on-device PIN policies, you must set the transport PIN to match the PIN policy in the card properties file. |
Further information |
|
Setting |
|
Default value |
No |
Description |
You can use the user's logon name as the diversification data for PIN generation; this ensures that the user has the same PIN for all of their devices. |
Further information |
See section 9.3, EdeficePinGenerator PIN generation algorithm for details. |
Setting |
|
Default value |
No |
Description |
When set to No, the random PIN generator does not take into account the PIN policy determined by the credential profile. When set to Yes, the random PIN generator takes into account the PIN policy determined by the credential profile. |
Further information |
See section 9, PIN generation for details. |
Setting |
|
Default value |
Ask |
Description |
If you are upgrading from a previous system, and this option was previously set to No, this is set to Yes by the installer. This option is used to configure MyID to set security phrases to use SHA256 hashing. |
Further information |
See the Upgrading security phrase security in the Installation and Configuration Guide for details of upgrading the hashed security phrase answers stored in the MyID database. |