PIN Cache Timeout

Whether the PIN cache is configured per session or per process, the PIN cache is set to expire after a period of smart card inactivity. This is designed to guarantee that, if a user leaves their desk without locking their workstation, an intruder would not be able to perform any PIN-protected operation with the smart card.

The timeout corresponds to the period (in minutes) without any PIN protected operation performed on the smart card. When the timeout expires, the PIN is deleted from the PIN cache. The user will be prompted for the PIN at the next PIN-protected operation.

Note: The timer is reset each time a PIN protected operation occurs.

Policy Name: Number of minutes before PIN cache is cleared

Description:

Defines the number of minutes before the PIN cache is cleared. The default value is 15.

If this value is set to 9999, the PIN cache timeout is infinite. This means that PIN cache is cleared at log off or shutdown or session disconnect or card removal or workstation lock (depending on the Disable PIN cache clearance on workstation lock setting).

Possible Values:

  • Not Configured

  • Enabled – displays the default value, 15, and can be updated

  • Disabled

Exceptions

  • Number of minutes before PIN cache is cleared set to 0

    When the policy is set to 0, the expiration is immediate. In this case, the user will see a PIN prompt every time a protected card operation occurs, regardless if the PIN was previously cached. This configuration might cause some issues with applications that manage their own user interface and do not allow ActivClient to prompt the user for PIN authentication as often as needed.

  • Number of minutes before PIN cache is cleared set to 9999

    When the policy is set to 9999, the maximum PIN inactivity period is considered infinite. In this case, no timer is maintained: the PIN cache is cleared at workstation lock, log off, shutdown, session disconnect, card removal and explicit card logout.

Example: PIN Cache Timeout of One Hour

  1. Set the policy to 60.

  1. Open Outlook with your smart card inserted.

  2. Send a signed email, and enter your PIN when prompted.

  3. Wait for 45 minutes.

  4. Send a second signed email. You are not prompted for the PIN because it is already cached.

  5. Wait another 45 minutes.

  6. Send a third signed email. You are not prompted for the PIN because it is already cached.

  7. Wait another 75 minutes.

  8. Send a fourth signed email. You are prompted for the PIN because the PIN cache timeout expired and the cached PIN was deleted.