5 Passwords

5.1 Passwords for startup users

When you install MyID, you are given the option of creating startup users that can access the system using a standard set of passwords rather than using smart cards to log on. Some versions of MyID use the installation program to create the startup users, while later versions use GenMaster.

These startup users are intended only for bootstrapping the system.

5.1.1 Risks

Usernames and passwords created by the MyID installation program are identical across all MyID systems, and are listed in the MyID documentation. If you leave the startup users active, anyone who knows the startup usernames and passwords on any MyID system will be able to access your system.

Passwords created by GenMaster for the startup user are specified when you run the program; however, the startup username may still be known.

5.1.2 Solution

Once you can issue operator cards successfully, you can enroll a user and issue a physical card for each role; once you have done this, you must delete the startup users from the system.

5.1.3 Implementation

To remove the startup user, from the People category, click Remove Person.

5.1.4 Recommendations

As soon as you can issue operator cards, issue cards for each role, then delete the startup password users.

If you do not intend to allow any users to log on with passwords, you can prevent any access using security phrases: set the following configuration option in the Logon Mechanisms tab of the Security Settings workflow:

If you want to allow password or authentication code logon to MyID for the purpose of PIN resets, but not for general logon, you can prevent password logon for cases where the user does not also have their card present: set the following configuration option in the Logon tab of the Security Settings workflow:

Note: If you need to recover a GenMaster-based startup user account, you can use the Recover Startup User utility; see the Recover Startup User section in the Implementation Guide.