3.5 PIV card verification data reset
This section contains information on resetting the PIN on the PIV card. The cardholder can reset the PIN themselves using a self-service PIN reset process, or can reset the PIN with the assistance of a MyID operator.
3.5.1 Self-service PIN reset
You can reset the PIN in the following situations:
-
When the PIN is locked because of multiple incorrect attempts at authentication.
You can reset a locked PIN by inserting your card on the logon screen. Once authentication is attempted, if the card PIN is locked you are prompted to unlock the card.
This operation must be authenticated – the type of authentication is determined by the credential profile used to issue your card, and MyID configuration settings.
FIPS 201-3 requires that a fingerprint is used to authenticate a person before the PIN can be reset.
The system default setting for MyID PIV is to require a fingerprint to unlock a card.
You can configure the credential profile to require additional biometric authentication. This can be used where the installation supports multiple credential types, including non-PIV cards and use of PIV cards for CIV. In this case, the global configuration can be set to not require a fingerprint to unlock a card – the credential profile will override this for cards associated with it.
The following authentication rules are supported by MyID, but are not recommended for use with FIPS 201-3:
-
Require an authentication code (credential profile rule)
-
Where the credential profile setting is ‘System Default’ both biometrics and security questions can be required, based on global configuration.
-
Where the credential profile carries no activation authentication requirements (it is set to Never) there will be no requirement for biometric or authentication code, overriding the global configuration. It will not be possible to unlock a card with no authentication, therefore security questions should be configured.
Note: Before unlocking a card, MyID checks the latest version of the credential profile – therefore policy changes made after card issuance will be enforced.
-
-
When the user decides to change their PIN to a new value.
You can use the MyID Change PIN workflow to change your PIN. You must re-enter your old PIN before you supply the new PIN; see the Changing a device PIN section in the MyID Operator Client guide.
Alternatively, you can use the Reset PIN option on the Self-Service App. Similarly, you must re-enter your old PIN before you supply the new PIN.
MyID has a PIN unlock utility that allows you to perform a challenge/response PIN unlock or to change the card's PIN. See the Remote PIN Management utility for PIV cards section in the Operator's Guide for details.
Note: Currently, this utility does not allow fingerprint verification, and therefore is not recommended for use with cards that require FIPS 201-3.
3.5.2 Operator-led PIN reset
You can use the Reset Card PIN workflow to reset another person’s card PIN; see the Resetting a card's PIN section in the Operator's Guide.
This operation:
-
Cannot be used to unlock your own card – the self-service operations must be used instead.
-
Can only be used to unlock a card belonging to a user account in the current operator's scope.
-
Does not enforce any additional authentication – use the Authenticate Person operation to create an audited record of the user authentication. This operation allows an authenticated MyID operator, with appropriate permissions in their role to:
-
Attempt fingerprint verification.
-
Bypass fingerprint verification if necessary.
-
Record details of the identity documents presented by the user.
-
Override any further authentication.
-
For more information, see section 5.14, Authenticating users.
3.5.3 Biometric matching for PIN reset
When MyID carries out a biometric match for PIN reset it is:
-
Taking the fingerprint templates provided by the cardholder (translated from a raw image by the biometric template generator).
-
Matching it against the fingerprint captured at enrollment – this is biometric data stored in the MyID database, and provides an off-card 1:1 biometric match. Matching takes place on the MyID server.
-
The matching library used by MyID can be selected in global configuration.
3.5.4 Resetting other verification data
In this release, other verification data (biometrics, printed information, and so on) may only be reset when the electronic data within the card is re-issued. This can occur at:
-
Repersonalize Card.
-
Reinstate Card.
-
Collection of a replacement card.