Sending an authentication code to activate a device

5.12 Sending an authentication code to activate a device

If the credential profile for a device has been configured for activation, and has the Activation Authentication option set to use an authentication code, once the device is ready for activation (that is, the Status is PendingActivation) you can send an authentication code to the person so they can activate their device.

For information on setting up a credential profile for activation, see the Activating cards section in the Administration Guide.

You can send an authentication code to the person through email or as an SMS message to their cell phone.

Alternatively you can allow an operator to view an authentication code on their screen, which they can then read out over the phone or paste into a secure chat channel to allow the person to activate their device.

You can also choose whether to send a short use authentication code for immediate use (which is valid for two minutes by default) or a long use authentication code (which is valid for 30 days by default).

5.12.1 Configuring authentication codes for activation

Set the configuration options:
1. From the Configuration category, select Security Settings.
2. On the Auth Code tab, set the following:
  - Auth Code Complexity – set this to the complexity you want to use for requests where the complexity is not specified in the email template. Select one of the following:
    - Complex – uses the complexity determined by the Complex Logon Code Complexity configuration option. This is the default.
    - Simple – uses the complexity determined by the Simple Logon Code Complexity configuration option.
  - Auth Code Lifetime for Immediate Use – set this to the number of seconds for which a short lifetime authentication code is valid. To set short lifetime authentication codes for no expiry, set this value to 0. The default is 120 seconds.
  - Auth Code Lifetime – set this to the number of seconds for which a long lifetime authentication code is valid. To set long lifetime authentication codes for no expiry, set this value to 0. The default is 720 hours.
3. Click Save changes.
In the Edit Roles workflow, make sure the operator has the Send Auth Code for Activation or View Auth Code for Activation option selected for their role.
From the Configuration category, select Email Templates.

The methods of delivery for the authentication code are determined by the enabled status of the following email templates:
- Activation Code Email – used to send an authentication code in an email message to the person's configured email address. By default, this delivery method is enabled.
- Activation Code SMS – used to send an authentication code in an SMS message to the person's configured cell phone number. By default, this delivery method is disabled.
Make sure the delivery methods you want to use are enabled. If you disable both email templates, the operator cannot send an authentication code, but may still be able to view an authentication code on screen using the View Auth Code feature.

Note: The complexity of the code is determined by the Complexity option configured in the email template. See the Changing email messages section in the Administration Guide for details. If you are displaying the code on screen instead, the complexity of the code is determined by the Auth Code Complexity configuration option.

Important: You can edit the content of the email templates, and enable or disable them, but do not change the Transport option, or the notifications will no longer work correctly.
Set up an SMTP server.

Note: If your business process requires operators to view codes on their screens, and you do not intend to send any codes from the MyID server through email or SMS, you do not have to set up an SMTP server.

See the Setting up email section in the Advanced Configuration Guide for details.
If you are using SMS to send the authentication codes, configure your system for SMS notifications:
1. From the Configuration category, select Operation Settings.
2. On the General tab, set the following:
  - SMS email notifications – set to Yes.
  - SMS gateway URL for notifications – set to the URL of your SMS gateway.
    
    By default, SMS messages are sent to through an email to SMS gateway, in the format <cellnumber>@<gateway>, where:
    - <cellnumber> – the cell phone number from the person's record.
    - <gateway> – the URL from the SMS gateway URL for notifications option.
    For example: [email protected]
    
    If this is not suitable, you can customize the sp_CustomPrepareSMS stored procedure in the MyID database.
3. Click Save changes.
Recycle the web service app pools:
1. On the MyID web server, in Internet Information Services (IIS) Manager, select Application Pools.
2. Right-click the myid.web.oauth2.pool application pool, then from the pop-up menu click Recycle.
3. Right-click the myid.rest.core.pool application pool, then from the pop-up menu click Recycle.
This ensures that the MyID Operator Client picks up the configuration changes.

Note: You must recycle the app pools whenever you make a change to these settings; for example, when changing the availability of email templates or changing the value of a configuration option.

5.12.2 Sending an authentication code for activation

To send an authentication code for activation:

Search for a device, and view its details.

See section 5.1, Searching for a device.

Alternatively, insert the device into a reader.

See section 5.2, Reading a device.

You can also view a device from any form that contains a link to the device.

For example:
- Click the item in the list on the DEVICES tab of the View Person form.
- Click the link icon on the Device Serial Number field of the View Request form.
Click the Send Auth Code option in the button bar at the bottom of the screen.

You may have to click the ... option to see any additional available actions.

The Send Auth Code option appears only if the device is in a suitable state for activation; that is, it has been issued with a credential profile configured to use authentication codes for activation, and is at a Status of PendingActivation. You must also make sure that you have the Send Auth Code for Activation option selected for your role in the Edit Roles workflow.

Note: The Send Auth Code option may also appear if the card has been fully issued; in this case, it sends an unlock code rather than an authentication code. See section 5.13, Sending a code to unlock a device for details.

The Send Activation Code screen appears.
Type any Notes you want to store in the audit trail about the operation.
From the Delivery Mechanism drop-down list, select how you want to send the code.

You can choose from:
- Activation Code Email – sends the code as an email to the person's configured email address. This option is available if the Activation Code Email template is enabled in the Email Templates workflow.
- Activation Code SMS – sends the code as a text message to the person's configured cell phone number. This option is available if the Activation Code SMS template is enabled in the Email Templates workflow.
Note: The complexity of the code is determined by the Complexity option configured in the email template. See the Changing email messages section in the Administration Guide for details.
From the Lifetime drop-down list, select how long you want the code to be valid.

The options here are determined by the values saved in the Auth Code Lifetime for Immediate Use and Auth Code Lifetime configuration options; by default, the options are:
- Expires 30 days from request – based on the default Auth Code Lifetime setting of 720 hours.
- Expires 2 minutes from request – based on the default Auth Code Lifetime for Immediate Use setting of 120 seconds.
Click Save.

MyID sends the authentication code to the person, who can then use it to activate their device.

5.12.3 Viewing an authentication code for activation

To view an authentication code for activation on screen:

Search for a device, and view its details.

See section 5.1, Searching for a device.

Alternatively, insert the device into a reader.

See section 5.2, Reading a device.

You can also view a device from any form that contains a link to the device.

For example:
- Click the item in the list on the DEVICES tab of the View Person form.
- Click the link icon on the Device Serial Number field of the View Request form.
Click the View Auth Code option in the button bar at the bottom of the screen.

You may have to click the ... option to see any additional available actions.

The View Auth Code option appears only if the device is in a suitable state for activation; that is, it has been issued with a credential profile configured to use authentication codes for activation, and is at a Status of PendingActivation. You must also make sure that you have the View Auth Code for Activation option selected for your role in the Edit Roles workflow.

Note: The View Auth Code option may also appear if the card has been fully issued; in this case, it generates an unlock code rather than an authentication code. See section 5.13, Sending a code to unlock a device for details.

The View Activation Code screen appears.
Type any Notes you want to store in the audit trail about the operation.
From the Lifetime drop-down list, select how long you want the code to be valid.

The options here are determined by the values saved in the Auth Code Lifetime for Immediate Use and Auth Code Lifetime configuration options; by default, the options are:
- Expires 30 days from request – based on the default Auth Code Lifetime setting of 720 hours.
- Expires 2 minutes from request – based on the default Auth Code Lifetime for Immediate Use setting of 120 seconds.
Note: The complexity of the code is determined by the Auth Code Complexity configuration option.
Click Save.

MyID displays the authentication code on screen. You can now provide this to the person who needs to activate their device; for example, you can read the code out over the phone, or send it by a secure chat channel.