5.13 Sending a code to unlock a device

If a cardholder has locked their device, you can send an authentication code that can be used for unlocking the device and resetting the PIN.

You can send an unlock code to the person through email or as an SMS message to their cell phone.

Alternatively you can allow an operator to view an unlock code on their screen, which they can then read out over the phone or paste into a secure chat channel to allow the person to unlock their device.

You can also choose whether to send a short use unlock code for immediate use (which is valid for two minutes by default) or a long use unlock code (which is valid for 30 days by default).

The cardholder can provide the authentication code when using the Reset PIN option in the Self-Service App or the I want to reset my PIN option in the Self-Service Kiosk, or an operator can unlock the device using the Authentication Code tab of the Reset Card PIN or Unlock Credential workflows; see section 5.7, Resetting a device's PIN and section 5.11, Unlocking a device.

5.13.1 Configuring authentication codes for unlocking

  1. Set the configuration options:

    1. From the Configuration category, select Security Settings.

    2. On the Auth Code tab, set the following:

      • Auth Code Complexity – set this to the complexity you want to use for requests where the complexity is not specified in the email template. Select one of the following:

        • Complex – uses the complexity determined by the Complex Logon Code Complexity configuration option. This is the default.

        • Simple – uses the complexity determined by the Simple Logon Code Complexity configuration option.

      • Auth Code Lifetime for Immediate Use – set this to the number of seconds for which a short lifetime authentication code is valid. To set short lifetime authentication codes for no expiry, set this value to 0. The default is 120 seconds.

      • Auth Code Lifetime – set this to the number of seconds for which a long lifetime authentication code is valid. To set long lifetime authentication codes for no expiry, set this value to 0. The default is 720 hours.

    3. Click Save changes.

  2. In the Edit Roles workflow, make sure the operator has the Send Auth Code for PIN Unlock or View Auth Code for PIN Unlock option selected for their role.

  3. From the Configuration category, select Email Templates.

    The methods of delivery for the unlock code are determined by the enabled status of the following email templates:

    • Unlock Credential Code Email – used to send an authentication code in an email message to the person's configured email address. By default, this delivery method is enabled.

    • Unlock Credential Code SMS – used to send an authentication code in an SMS message to the person's configured cell phone number. By default, this delivery method is disabled.

    Make sure the delivery methods you want to use are enabled. If you disable both email templates, the operator cannot send an unlock code, but may still be able to view an unlock code on screen using the View Auth Code feature.

    Note: The complexity of the code is determined by the Complexity option configured in the email template. See the Changing email messages section in the Administration Guide for details. If you are displaying the code on screen instead, the complexity of the code is determined by the Auth Code Complexity configuration option.

    Important: You can edit the content of the email templates, and enable or disable them, but do not change the Transport option, or the notifications will no longer work correctly.

  4. Set up an SMTP server.

    Note: If your business process requires operators to view codes on their screens, and you do not intend to send any codes from the MyID server through email or SMS, you do not have to set up an SMTP server.

    See the Setting up email section in the Advanced Configuration Guide for details.

  5. If you are using SMS to send the authentication codes, configure your system for SMS notifications:

    1. From the Configuration category, select Operation Settings.

    2. On the General tab, set the following:

      • SMS email notifications – set to Yes.

      • SMS gateway URL for notifications – set to the URL of your SMS gateway.

        By default, SMS messages are sent to through an email to SMS gateway, in the format <cellnumber>@<gateway>, where:

        • <cellnumber> – the cell phone number from the person's record.

        • <gateway> – the URL from the SMS gateway URL for notifications option.

        For example: [email protected]

        If this is not suitable, you can customize the sp_CustomPrepareSMS stored procedure in the MyID database.

    3. Click Save changes.

  6. Recycle the web service app pools:

    1. On the MyID web server, in Internet Information Services (IIS) Manager, select Application Pools.
    2. Right-click the myid.web.oauth2.pool application pool, then from the pop-up menu click Recycle.
    3. Right-click the myid.rest.core.pool application pool, then from the pop-up menu click Recycle.

    This ensures that the MyID Operator Client picks up the configuration changes.

    Note: You must recycle the app pools whenever you make a change to these settings; for example, when changing the availability of email templates or changing the value of a configuration option.

5.13.2 Sending an unlock code

To send an unlock code for a device:

  1. Search for a device, and view its details.

    See section 5.1, Searching for a device.

    Alternatively, insert the device into a reader.

    See section 5.2, Reading a device.

    You can also view a device from any form that contains a link to the device.

    For example:

    • Click the item in the list on the DEVICES tab of the View Person form.
    • Click the link icon on the Device Serial Number field of the View Request form.

  2. Click the Send Auth Code option in the button bar at the bottom of the screen.

    You may have to click the ... option to see any additional available actions.

    The Send Auth Code option appears only if the device is in a suitable state for unlocking; it must be active and issued, and a contact card, Identity Agent, or Microsoft VSC. If the device requires activation, this option sends an authentication code instead (see section 5.12, Sending an authentication code to activate a device). You must also make sure that you have the Send Auth Code for PIN Unlock option selected for your role in the Edit Roles workflow.

    The Send Unlock Code screen appears.

  3. Type any Notes you want to store in the audit trail about the operation.

  4. From the Delivery Mechanism drop-down list, select how you want to send the code.

    You can choose from:

    • Unlock Code Email – sends the code as an email to the person's configured email address. This option is available if the Unlock Credential Code Email template is enabled in the Email Templates workflow.

    • Unlock Code SMS – sends the code as a text message to the person's configured cell phone number. This option is available if the Unlock Credential Code SMS template is enabled in the Email Templates workflow.

    Note: The complexity of the code is determined by the Complexity option configured in the email template. See the Changing email messages section in the Administration Guide for details.

  5. From the Lifetime drop-down list, select how long you want the code to be valid.

    The options here are determined by the values saved in the Auth Code Lifetime for Immediate Use and Auth Code Lifetime configuration options; by default, the options are:

    • Expires 30 days from request – based on the default Auth Code Lifetime setting of 720 hours.

    • Expires 2 minutes from request – based on the default Auth Code Lifetime for Immediate Use setting of 120 seconds.

  6. Click Save.

    MyID sends the authentication code to the person, who can then use it to reset their device PIN, either using the Reset PIN option in the Self-Service App or the I want to reset my PIN option in the Self-Service Kiosk, or with the assistance of an operator using the Reset Card PIN or Unlock Credential workflow; see section 5.7, Resetting a device's PIN and section 5.11, Unlocking a device.

5.13.3 Viewing an unlock code

To view an unlock code for a device:

  1. Search for a device, and view its details.

    See section 5.1, Searching for a device.

    Alternatively, insert the device into a reader.

    See section 5.2, Reading a device.

    You can also view a device from any form that contains a link to the device.

    For example:

    • Click the item in the list on the DEVICES tab of the View Person form.
    • Click the link icon on the Device Serial Number field of the View Request form.

  2. Click the View Auth Code option in the button bar at the bottom of the screen.

    You may have to click the ... option to see any additional available actions.

    The View Auth Code option appears only if the device is in a suitable state for unlocking; it must be active and issued, and a contact card, Identity Agent, or Microsoft VSC. If the device requires activation, this option sends an authentication code instead (see section 5.12, Sending an authentication code to activate a device). You must also make sure that you have the View Auth Code for PIN Unlock option selected for your role in the Edit Roles workflow.

    The View Unlock Code screen appears.

  3. Type any Notes you want to store in the audit trail about the operation.

  4. From the Lifetime drop-down list, select how long you want the code to be valid.

    The options here are determined by the values saved in the Auth Code Lifetime for Immediate Use and Auth Code Lifetime configuration options; by default, the options are:

    • Expires 30 days from request – based on the default Auth Code Lifetime setting of 720 hours.

    • Expires 2 minutes from request – based on the default Auth Code Lifetime for Immediate Use setting of 120 seconds.

    Note: The complexity of the code is determined by the Auth Code Complexity configuration option.

  5. Click Save.

    MyID displays the unlock code on screen. You can now provide this to the person who needs to unlock their device; for example, you can read the code out over the phone, or send it by a secure chat channel.

    The person can then use it to reset their device PIN, either using the Reset PIN option in the Self-Service App or the I want to reset my PIN option in the Self-Service Kiosk, or with the assistance of an operator using the Reset Card PIN or Unlock Credential workflow; see section 5.7, Resetting a device's PIN and section 5.11, Unlocking a device.