Configuring a PIN Application
-
Go to the Device Policy - Creation page. (If needed, review the information presented in the section Creating a Device Policy.)
-
In the Action column, next to PIN, select Add, and then click Configure.
The Configure PIN application page appears:
Not all PIN settings are available. Available PIN settings depend on the middleware used and the type of device being configured. However, ActivID CMS does not have the capability of detecting the availability of such policy.
-
For a PIN application used with a virtual smart card device policy, keep the default PIN requirements. For virtual smart cards, the PIN policy is defined when the virtual smart card is created and cannot be changed by ActivID CMS. For details of the default PIN policy for virtual smart cards, see Creating a Virtual Smart Card.
-
For a PIN application used with a YubiKey policy, the PIN can only be numeric.
-
For a PIN application used with an Enterprise Contactless - Crescendo C2300 (2) policy, the PIN can be shared between the PIV Personal Identity Verification (technical standard of "HSPD-12") and FIDO Fast Identity Online applet, and the PIV PIN can be either numeric or alphanumeric.
Minimum PIN Length—Enter the shortest length possible for a PIN. The value cannot be smaller than your company’s device profile.
Maximum PIN Length—Enter the longest length possible for a PIN. The value cannot be larger than your company’s device profile.
Maximum Number of Wrong PIN Tries Before Locking the Card—Enter the maximum number of wrong PINs allowed. If the user has exceeded the number of consecutive wrong PIN entries, then the card will be automatically locked. A locked card cannot be used until it is unlocked. (This option applies only to cards with ActivID applets.)
Maximum Number of Wrong Unlock Tries Before Blocking the Card—Enter the maximum number of consecutive wrong unlock attempts allowed. If the user has exceeded the maximum number of unlock attempts, then the card is no longer usable and a new card must be issued for the user. (This option applies only to cards with ActivID applets.)
Force PIN to be Changed on First Card Usage option—Select Yes if you want the user to change the PIN the first time s/he uses the card.
Allow Weak PIN option—Select Yes if you want to allow the user to have a weak PIN code (not recommended, but available). For example, a PIN code is weak if the distance between sequential digits is a constant value or subsequent numbers. Using the minimum PIN length of 6 digits as an example, 000000 and 123456 are weak PIN codes while 152749 and 194269 are considered strong PIN codes.
Force PIN to Contain a Minimal Number of Letters option—Select Yes if you want the PIN to contain at least one letter.
Minimum Number of Letters—Accept 1 (the default) or change.
Force PIN to Contain a Minimal Number of Digits option—Select Yes if you want the PIN to contain at least one digit.
Minimum Number of Digits—Accept 1 (the default) or change.
Force PIN to Contain Only Digits option — Select Yes if you want the PIN to contain only digits.
Share PIN with FIDO— Select Yes if you want to allow the PIN to be shared between the PIV and FIDO applet.
-
Click Set.
Only some PIN policies (the first 6 shown above) are stored on the device and used when a PIN Change is performed on the end user station using the ActivID ActivClient middleware; other policies (the bottom 2 shown above) are only accessible to ActivID CMS and used when a PIN Change is performed using the ActivID CMS User Portal.
