Unlocking cards and resetting PINs

5.10 Unlocking cards and resetting PINs

If users type an incorrect PIN several times, their card is locked – this means they cannot use it to log in. Depending on how your system is set up, cardholders may be able to unlock the card themselves, or they may need to call a helpdesk.

5.10.1 Resetting a card's PIN

You can use the Reset Card PIN workflow to change the PIN of another user's card. This workflow allows you to set a new PIN when the card's PIN has become locked; an administrator can specify the authentication methods that you can use to reset the PIN.

To reset the PIN of a card:

From the Cards category, click Reset Card PIN.

You can also launch this workflow from the View Device screen in the MyID Operator Client; this launches the workflow with the device already selected. See the Resetting a device's PIN section in the MyID Operator Client guide for details.
Insert the card you want to reset.
Select the card, then click Next.

You may be asked to provide the cardholder's fingerprints, depending on the setting of the Verify Fingerprints During Reset PIN option in the Issuance Settings section of the credential profile used to issue the device:
- If Verify Fingerprints During Reset PIN is Always, you must provide fingerprint verification. If the cardholder does not have fingerprints enrolled, or you exceed the number of allowed attempts (as specified by the Number of fingerprint validation attempts option on the Biometrics page of the Operation Settings workflow), you cannot reset the PIN.
- If Verify Fingerprints During Reset PIN is Preferred, you must provide fingerprint verification if the cardholder has fingerprints enrolled. If the cardholder does not have fingerprints enrolled, or you exceed the number of allowed attempts (as specified by the Number of fingerprint validation attempts option on the Biometrics page of the Operation Settings workflow), you can proceed to the Authenticate User stage and provide alternative means of authenticating the user to reset the PIN.
- If Verify Fingerprints During Reset PIN is None, you can proceed to the Authenticate User stage.
If you provide a good fingerprint match, you skip the Authenticate User stage and proceed directly to the Enter New PIN stage.

The Person Details tab displays the details for the cardholder – this allows you to confirm that the card belongs to the correct user.

You can now choose how to authenticate the user's identity.

The authentication methods available depend on how your administrator has configured your system. See section 5.10.2, PIN reset authentication methods for details.
Select the tab for the appropriate authentication method.
- Card PIN – select this option if the user is present, knows their existing PIN, and the PIN on the card has not been locked. On the Enter New PIN stage after you click Next, you will provide the current PIN as well as the new PIN.
  
  Note: If you select this option, the Reset PIN to Secure Value option in the credential profile is ignored, and you must enter a new PIN manually; if you want to generate a new server-generated PIN for the device, select a different authentication method.
- Authentication Code – select this option if the user has an authentication code. Type the code that has been provided in the Authentication Code box.
  
  See section 5.10.9, Requesting an authentication code and the Sending a code to unlock a device section in the MyID Operator Client guide for details.
- Security Questions – select this option to provide answers to a selection of the user's security questions.
  
  See the Setting the number of security phrases required to authenticate section in the Administration Guide for details of configuring how many security phrases are required.
- Identity Documents – select this option to record the details of the identity documents (for example, passport, driver's license) that the user has presented to you.
  
  Note: The list of available documents is determined by the Authenticate Person Document1 and Authenticate Person Document2 lists. To edit these lists, use the List Editor. See the Changing list entries section in the Administration Guide for details.
- Operator Approval – select this option to record your observations and your reasons for accepting the user's identity.
- Reject Authentication – select this option to record your observations and your reasons for not accepting the user's identity; you cannot then reset the card's PIN.
Click Next.
If the credential profile is not configured for server-generated PINs (or you have selected Card PIN as the authentication method), you must enter a new PIN manually.

Type the new PIN and confirm it, then click Continue.

Note: If you selected the Card PIN authentication method, you must provide the current PIN as well as the new PIN.

If the credential profile is configured for server-generated PINs (and you have not selected Card PIN as the authentication method), the workflow moves automatically to the next stage. For information on configuring the credential profile to use server-generated PINs for PIN reset, see the Credential profile setup for PIN generation section in the Administration Guide.

MyID resets the PIN on the card to the new value. Do not remove the card from the reader until the process is complete.
If the credential profile is configured to print PIN reset documents, you are given the option to Print the configured document or Skip document printing.

Click Next to complete the workflow.

5.10.2 PIN reset authentication methods

You can configure which authentication methods are available in the Reset Card PIN workflow using the Edit Roles workflow. This allows you to select a different set of authentication methods for each role; for example, you may want only senior operators to be able to use the Operator Approval method, while all operators can use the Authentication Code method.

You can also configure MyID to skip the authentication step entirely.

To configure the PIN reset authentication methods:

From the Configuration category, select Edit Roles.
Under the Reset Card PIN option, select the following options:
- Identity Documents – select this option to allow the operator to record the details of the documents the user presents (for example, passport, driver's license).
  
  Note: The list of available documents is determined by the Authenticate Person Document1 and Authenticate Person Document2 lists. To edit these lists, use the List Editor. See the Changing list entries section in the Administration Guide for details.
- Operator Approval – select this option to allow the operator to confirm the user's identity without further evidence.
- Security Questions – select this option to allow authentication using answers to the user's stored security questions.
- Reject Authentication – select this option to allow the operator to reject the authentication for the user.
- Card PIN – select this option to allow authentication using the current PIN.
- Authentication Code – select this option to allow authentication codes.
- Bypass Authentication – select this option to skip the authentication stage on the Reset Card PIN workflow. Do not select any other authentication methods in conjunction with this option.
Click Save Changes.

5.10.3 Resetting your own PIN

You can use the Reset PIN option to change your own PIN at the logon screen. You can use this option to reset your PIN at any time, including when your card has been locked by entering the PIN incorrectly too many times.

To reset your PIN:

At the logon screen, click Reset PIN.
Complete the authentication requested.

For example, provide your fingerprints.

The authentication you provide depends on the setup of your credential profile. See section 5.10.6, Self-service PIN reset authentication for details.
Provide your new PIN.
Click Reset PIN.

5.10.4 Changing a card's PIN

You can use the Change PIN workflow to change the PIN of your own card, or of any other card present.

To change the PIN of a card:

From the Cards category, click Change PIN.

You can also launch this workflow from the View Device screen in the MyID Operator Client; this launches the workflow with the device already selected. See the Changing a device PIN section in the MyID Operator Client guide for details.
Insert the card for which you want to change the PIN, then click OK.
Type the Old PIN.
Type the New PIN, then type it again in the Confirm PIN box.
Click Change.

MyID changes the PIN of the card.

5.10.5 Allowing self-service unlocking

You must have the Self-service Unlock option (on the Self-Service page of the Security Settings workflow) set to Yes to allow users to unlock their own cards.

For PIV systems, you also must configure the web service to allow self-service unlock. See the Configuring self-unlock section in the Web Service Architecture guide for details of the AllowSelfUnlockForPIV option.

Note: If your card data model has a 5FC101 container for a card authentication certificate, you cannot unlock a card that does not have a card authentication certificate in this container. If you attempt to carry out a self-service unlock on a PIV card that does not have this certificate, you will see an error similar to the following:

Error 890467 – Unable to authenticate card. Unlocking your own card is not allowed.

5.10.6 Self-service PIN reset authentication

Self-service card unlocking at the MyID Desktop logon screen enforces flexible authentication requirements based on the credential profile.

See the Self-Service Unlock Authentication section in the Administration Guide for details.

When you unlock your card using the Reset PIN option, MyID checks the latest version of the credential profile for the Self-Service Unlock Authentication setting.

Note: The latest version of the credential profile is always used. If you change the self-service authentication settings, you do not have to update existing issued smart cards.

If the Credential owners must authenticate using one of the methods below in the order shown is not set:
- If the Ask Security Questions for Self Service Card Unlock configuration option (on the PINs page of the Security Settings workflow) is set, the user can provide their security phrases to unlock their card.
- If the Biometric PIN Reset and Verify fingerprints during card unlock configuration options (on the Biometrics tab of the Operation Settings workflow) are set, the user must provide their fingerprints to unlock their card.
  
  If neither option is set, the user cannot unlock their card.
  
  If you have configured both security questions and biometrics, the biometric authentication takes precedence, as it is the more secure option.
If the Credential owners must authenticate using one of the methods below in the order shown is set:
- The authentication methods listed in the credential profile are presented to the cardholder in order.
- When the user is presented with a method of authentication, they can decline the option (for example, when presented with a smart card authentication screen, they can click the "I cannot authenticate with my device" option) and proceed to the next available logon mechanism.
- Windows logon is always attempted first; if Windows authentication is successful, the user starts the action; if it is unsuccessful, the user is presented with the next logon mechanism in the list.

5.10.6.1 Allowing biometric authentication

To allow biometric authentication when logging on to MyID to perform a PIN reset, you must set the following:

In the Security Settings workflow, on the Logon Mechanisms tab, set the Biometric Logon option.
In the Edit Roles workflow, add the Bio Unlock My Card workflow to the permissions for the roles you want to be able to reset PINs using biometric authentication.
In the Edit Roles workflow, on the Logon Methods screen, select Biometric Logon as a logon mechanism for the roles that have access to the Bio Unlock My Card workflow.
In the Operation Settings workflow, on the Biometrics tab, set the Allow Biometric PIN Reset option.

5.10.6.2 Allowing authentication codes and security phrases

To allow authentication codes or security phrases to be used when logging on to MyID to perform a PIN reset, you must set the following:

In the Security Settings workflow, on the Logon Mechanisms tab, set the Password Logon option.
In the Edit Roles workflow, on the Logon Methods screen, select Password as a logon mechanism for the roles you want to be able to use authentication codes or security phrases to perform a PIN reset.
If you want to allow password or authentication code logon to MyID for the purpose of PIN resets, but not for general logon, you can prevent password logon for cases where the user does not also have their card present; in the Security Settings workflow, on the Logon tab, set the Prevent Direct Password Logon option to Yes.

5.10.6.3 Using the Self-Service App or Self-Service Kiosk to unlock a card

You can use the Self-Service App or Self-Service Kiosk to unlock your card; note that you must have a role that has access to the Unlock My Card workflow to carry out this operation. See For further information, see the Self-Service App features section in the Self-Service App guide or the Self-Service Kiosk guide for details.

5.10.7 Unlocking a credential remotely

Users may need to contact their helpdesk to unlock their credentials (for example, smart cards, mobile devices, VSCs). The helpdesk operator can use the Unlock Credential workflow to provide a code that unlocks the card.

If the user has a locked smart card, and is physically present so that you can insert the card into a card reader on the operator's machine, you can use Reset Card PIN instead – see section 5.10.1, Resetting a card's PIN.

Note: Some smart card types do not support remote unlocking. See the Smart Card Integration Guide for details of those that do.

IKB-183 – MyID does not check expiry dates on identity documents

In the Unlock Credential workflow, MyID does not check the expiry date of any identity documents you provide to confirm the card holder's identity. If your organization's procedures require this check. you must verify the expiry date manually before proceeding.

To unlock a card remotely:

From the Cards category, click Unlock Credential.

You can also launch the Unlock Credential workflow from the View Device screen of the MyID Operator Client. The Unlock Credential workflow appears in a MyID Desktop window with the device already selected. See the Unlocking a device section in the MyID Operator Client guide for details.
Enter the search criteria for the person who owns the credential you want to unlock, then click Search.

See section 2.2.2, Entering search criteria for details of entering search criteria.
From the list of matching records, select the person to search for any credentials belonging to them.
Select the device you want to unlock.

The Person Details tab displays the details for the cardholder – this allows you to confirm that the card belongs to the correct user.

You can now choose how to authenticate the user's identity.

The authentication methods available depend on how your administrator has configured your system. See section 5.10.8, Remote unlock authentication methods for details.
Select the tab for the appropriate authentication method.
- Authentication Code – select this option if the user has an authentication code. Type the code that has been provided in the Authentication Code box.
  
  See section 5.10.9, Requesting an authentication code and the Sending a code to unlock a device section in the MyID Operator Client guide for details.
- Security Questions – select this option to provide answers to a selection of the user's security questions.
  
  See the Setting the number of security phrases required to authenticate section in the Administration Guide for details of configuring how many security phrases are required.
- Identity Documents – select this option to record the details of the identity documents (for example, passport, driver's license) that the user has presented to you.
  
  Note: The list of available documents is determined by the Authenticate Person Document1 and Authenticate Person Document2 lists. To edit these lists, use the List Editor. See the Changing list entries section in the Administration Guide for details.
- Operator Approval – select this option to record your observations and your reasons for accepting the user's identity.
- Reject Authentication – select this option to record your observations and your reasons for not accepting the user's identity; you cannot then reset the card's PIN.
Click Next.
Ask the credential owner to read out the challenge code, and type it into the boxes provided.
Click Generate Response.
Read out the response code to the credential owner.
Provide details of the operation – whether the unlock was successful, and any details you want to add.
Click Next to complete the workflow.

5.10.8 Remote unlock authentication methods

You can configure which authentication methods are available in the Unlock Credential workflow using the Edit Roles workflow. This allows you to select a different set of authentication methods for each role; for example, you may want only senior operators to be able to use the Operator Approval method, while all operators can use the Authentication Code method.

You can also configure MyID to skip the authentication step entirely.

To set up authentication methods for unlocking:

From the Configuration category, select Edit Roles.
Under the Unlock Credential option, select the following options:
- Identity Documents – select this option to allow the operator to record the details of the documents the user presents (for example, passport, driver's license).
  
  Note: The list of available documents is determined by the Authenticate Person Document1 and Authenticate Person Document2 lists. To edit these lists, use the List Editor. See the Changing list entries section in the Administration Guide for details.
- Operator Approval – select this option to allow the operator to confirm the user's identity without further evidence.
- Security Questions – select this option to allow authentication using answers to the user's stored security questions.
- Reject Authentication – select this option to allow the operator to reject the authentication for the user.
- Authentication Code – select this option to allow authentication codes.
- Bypass Authentication – select this option to skip the authentication stage on the Unlock Credential workflow. Do not select any other authentication methods in conjunction with this option.
Assign these options to the appropriate roles; for example, you may want users who have one role to use security questions, and users who have another role to use authentication codes.
Click Save Changes.

5.10.9 Requesting an authentication code

The Request Auth Code workflow allows you to request an authentication or unlock code for a user.

Note: You can also request an authentication code for card activation or unlocking using the MyID Operator Client. See the Sending an authentication code to activate a device and Sending a code to unlock a device sections in the MyID Operator Client guide for details.

Authentication codes are used during card activation; see the Activating cards section in the Administration Guide for details. If an applicant makes several invalid attempts to enter an authentication code (as determined by the Maximum Allowed OTP Failures configuration option), quits out of the Activate Card workflow, or declines the terms and conditions, the code is canceled, and the applicant must ask an administrator to generate another code.

If a cardholder enters their PIN incorrectly too many times, the card is locked. An administrator can generate an unlock code using this workflow. The cardholder can then unlock the card: see section 5.10.3, Resetting your own PIN.

Note: Codes do not expire; they are valid until they are used. Only one code of each type can be assigned to a card – new codes supersede old codes.

The Request Auth Code workflow is not assigned to any roles by default; you must make sure that you use the Edit Roles workflow to assign the workflow to any roles that you want to be able to issue codes.

To generate a code:

From the Cards category, select Request Auth Code.
Use the Find Person screen to find the user for whom you want to generate a code.
Select the person.
If the user has more than one card, select the card.

The screen shows if the user has any existing unlock or authentication codes in the Existing Codes column. If you generate a code of the same type, the previous code is deactivated, and can no longer be used.
To generate an unlock code, click Unlock.

An email message is sent to the user containing a code that allows them to unlock the card. See section 5.10.3, Resetting your own PIN for details.
To generate an authentication code, click Activate.

An email message is sent to the user containing a code that allows them to activate the card. see the Activating cards section in the Administration Guide for details.

Note: The lifetime of auth codes is determined by the Auth Code Lifetime option on the Auth Code page of the Security Settings workflow. By default, the lifetime is set for 720 hours; to set auth codes to have unlimited expiry, set this option to 0.

5.10.10 Remote PIN Management utility for PIV cards

The MyID Card Utility allows you to carry out a remote unlock or change the PIN on cards that support PIV applets.

This utility has been developed with IDEMIA (PIV cards and ID-One PIV cards) and Gemplus PIV cards. You can also use the utility with Yubico devices, which support PIV features but are not PIV compliant. This utility supports Global PINs on smart cards that support that feature.

The MyIDCardUtility.exe file is installed to the Utilities folder on the MyID application server. You can copy this utility manually to any client PC you want to be able to use the functionality.

To use the card utility:

Copy the MyIDCardUtility.exe file to the client PC.
In Windows Explorer, double-click the MyIDCardUtility.exe file.

You can also set up a shortcut to run this utility.
If you are using multiple card readers, select the appropriate reader from the Select Card Reader drop-down list.
Click Read Card.

The utility reads the card, and the card serial number appears.
Select one of the following options:
- Change PIN
- Remote Unlock Card
To change the PIN:
1. Click Change PIN.
2. Click Next.
3. Type the card's Existing PIN.
4. Type the New PIN, and confirm the new PIN in the Confirm PIN box.
  
  Note: The PIN must be the same length or longer than the current PIN.
5. Click Next.
  
  The card PIN is changed.
To remote unlock the card:
1. Click Remote Unlock Card.
2. Click Next.
3. Call the helpdesk and provide the Unlock Challenge.
4. The helpdesk operator must then open MyID, go to the Unlock Credential workflow, and type the Unlock Challenge into the Challenge Code boxes before clicking Confirm.
  
  The helpdesk operator can then read out the unlocking code.
  
  See section 5.10.7, Unlocking a credential remotely for details of using the Unlock Credential workflow.
5. Type the unlocking code from the helpdesk operator into the Unlock Code box.
6. Type a New PIN and confirm the new PIN in the Confirm PIN box.
7. Click Next.
  
  The card is unlocked, and is given a new PIN.

5.10.11 Unlock credential provider

MyID provides an unlock credential provider that allows a user to unlock their PIV card from the Windows logon screen. This provides the same functionality as the MyID Card Utility for remotely unlocking cards (see section 5.10.10, Remote PIN Management utility for PIV cards for details).

For details of installing and configuring the unlock credential provider, see the Installing the unlock credential provider section in the Installation and Configuration Guide.

To unlock a PIV card:

At the Windows logon screen, insert your locked PIV card.
Select the Unlock Credential Provider tile.

Note: The unlock credential provider displays a tile for each suitable logon certificate on the card; for example, a PIV card has both PIV Authentication and Card Authentication certificates, so the unlock credential provider displays two tiles. Click on any of the provided tiles to continue.

The unlock credential provider generates and displays a random challenge.
Call the helpdesk and provide the Challenge code.
The helpdesk operator must then open MyID, go to the Unlock Credential workflow, and type the Unlock Challenge into the Challenge Code boxes before clicking Confirm.

The helpdesk operator can then read out the unlocking code.

See section 5.10.7, Unlocking a credential remotely for details of using the Unlock Credential workflow.
Type the unlocking code from the helpdesk operator into the Response box.
Type a new PIN and confirm the new PIN in the PIN Check box.

The card is unlocked and given a new PIN, and the user is logged on to Windows.

Note: The next time you log on to Windows after unlocking your card using the unlock credential provider, the Unlock Credential Provider tile is selected on the logon screen; this is because Windows remembers the last option you selected on this screen. Click your preferred sign-in option and continue.

5.10.12 Known issues

IKB-283 – Error if an incorrect certificate is selected for PIN unlock

If two or more Windows logon certificates are present for the same identity on a single device, an error can occur after successfully completing setting a new PIN for the device if the following sequence has occurred.
- The user has initially logged on with a certificate on a device.
- The user locks the PC.
- The user attempts to unlock the computer but locks the PIN for the device by providing the incorrect PIN too many times.
- The user selects a different logon certificate on the same device.
- The user completes the unlock process and sets a new PIN.
A Windows message is displayed:

The user name or password is incorrect

In this scenario, the PIN is successfully changed, but the user must re-select the certificate and enter their PIN to logon to Windows again.