Devices
From the Devices view, you can access a comprehensive set of functionalities to manage and interact with your devices.
Here, you can select a device, authenticate to it, and perform various management actions, such as changing or unblocking the PIN.
Open Crescendo Manager and insert your Crescendo Key or Card. The Devices view opens by default unless you have set a different starting screen. In such case, click Devices in the left navigation pane.
Connected devices are shown as tiles.
A device's content is fully loaded when the device's ID is displayed under the device's name.
Actions Available From the Devices View
The actions available from the Devices view depend on the token type and its configuration.
Notably, fewer options are available for managed devices Smart cards, tokens, or other secure devices administered and controlled through a management platform or system, typically used for secure authentication, encryption, or access control in enterprise environments. , where most features are read-only.

Authenticating to a Device
Authenticate to a selected device from any view by clicking the authentication button in the right of the title bar.
- A closed red lock
symbol indicates that the PIN hasn't been entered, and the device is locked.
- Upon entering the PIN, the symbol changes to an open lock and turns blue
, indicating successful authentication.
This authentication applies to future actions performed with the device, although some actions may still require the PIN for confirmation.
If you do not authenticate to a token using the authentication button, some operations will prompt for authentication automatically.

Change PIN
To change the PIN for any connected token, click the Change PIN action link in the device's interface in the Devices view, or click the kebab menu button in the top-right corner of that token's interface. (You do not need to have the token selected to perform this action.)
A simple Change PIN dialog will open:
-
The default Crescendo PIN is set to eight zeroes (2300 family) or six zeroes (4000 family). You can enter this default value by selecting the default checkbox.
-
To display the PIN, click and hold the visibility eye icon.
When setting a new PIN, the policy regulating PIN entry is displayed in a bubble above the New PIN field:
This policy can be modified via the Update PIN Policies action, accessible through the kebab menu in the device's interface.

Unblock PIN
This action enables you to reset the PIN in case it is forgotten or when reassigning a token to a new user.
To unblock the PIN for any connected token, click the Unblock PIN action link in the token's interface in the Devices view, or click the kebab menu button in the top-right corner of that token's interface. (You do not need to have the token selected to perform this action.)
To unblock the PIN:
- Select the available authentication data to unblock the token:
- Insert the new PIN and confirm by entering it into the Confirm PIN field.
- Click Submit to change the PIN.

Configure, Manage, and View PUK
If you enter the wrong PIN too many times, your token will lock and a PUK PIN Unblock Key. A code used to reset the personal identification number (PIN) in devices after they have been locked due to multiple incorrect PIN entries. is required to unlock it.
If no PUK has been set for the token, you can configure one. You can also view, change, or delete an existing PUK if needed.
-
All PUK-related actions require confirmation with your current PIN unless you have already authenticated to the token using the authentication button in the title bar.
-
The available actions depend on the token type and configuration. Some of the described actions may not be available for your specific token.

Configure a New PUK
-
Navigate to the Devices view and click the kebab menu button
in the top-right corner of the token's interface. (You do not need to have the token selected to perform this action.)
-
Select Configure PUK.
-
Enter the PUK value (an 8-digit decimal or a 16-digit hexadecimal number) in the New PUK field or use the Generate button to generate a new hexadecimal PUK
-
Click Set to set the new PUK.

View PUK
-
Navigate to the Devices view and click the kebab menu button
in the top-right corner of the token's interface. (You do not need to have the token selected to perform this action.)
-
Select View PUK if available, or select Manage PUK
and in the Select Action dropdown, select View PUK.
-
The current PUK will be displayed, allowing you to copy it.

Change PUK
-
Navigate to the Devices view and click the kebab menu button
in the top-right corner of the token's interface. (You do not need to have the token selected to perform this action.)
-
Select Manage PUK.
-
In the Select Action dropdown, leave Configure PUK selected.
-
Enter the PUK value (an 8-digit decimal or a 16-digit hexadecimal number) in the New PUK field or use the Generate button to generate a new hexadecimal PUK.
-
Click Set to set the new PUK.

Change Management Key
To update the management key A cryptographic key used to control and manage secure operations on a token, such as configuring, updating, or modifying sensitive data. used by your device, navigate to the Devices view and click the kebab menu button in the top-right corner of the token's interface. (You do not need to have the token selected to perform this action.).
Follow these steps to change the management key:
- Select the authentication method for authorizing the management key change (by PIN or by the management key).
If you are already authenticated to the device, you will not be prompted to authorize the key change in the last step.
If you selected to authenticate with PIN, see point 3.
- If you selected to authenticate with the management key, enter the current management key in the provided Old Management Key field. If you are using the default key, select the default checkbox.
- Enter the New Management Key you wish to set. For enhanced security, you can select:
- Random AES Advanced Encryption Standard. A symmetric key encryption algorithm established by the U.S. National Institute of Standards and Technology (NIST). key to generate a new, random AES key.
- Random TDES Triple Data Encryption Standard. An encryption algorithm that uses three separate keys for encryption, providing a higher level of security than its predecessor, the Data Encryption Standard (DES). key to generate a new, random TDES key.
- Click Change Key to finalize the action.

Update PIN Policies
To access Update PIN Policies, navigate to the Devices view and click the kebab menu button in the top-right corner of the token's interface.
This feature allows you to view and update the current PIN policies set for your token. These policies may vary depending on the device type and profile.
Pin Policy Options
-
Min/Max PIN Length: Specify the minimum and maximum PIN length.
-
PIN Format: Choose whether the PIN can include both letters and numbers (alphanumeric format) or numbers only (numeric format).
-
Force PIN Change: When enabled, the token will not allow the user to perform any action until the PIN is changed. Whenever such a token is inserted, Crescendo Manager will display a warning requiring PIN change.
Note: This PIN policy only affects Crescendo 4000 family devices. For the Crescendo 2300 family, setting the Force PIN Change policy will only result in a prompt being displayed upon and will not impact token usage. -
Challenge Type: Select between static or dynamic mode.
-
In static mode, the challenge is
.
Note: The Static option has been deprecated since the introduction of the Crescendo 4000 family.-
In dynamic mode, the challenge is generated randomly each time.
-
-
Weak PIN A PIN in which the difference between each character or digit and the following one is a constant. For example, a PIN that is a sequence of the same number or character, or an increasing/decreasing sequence of numbers or characters (1234, 4321, 86420, ABCD, acegik, etc.) is a weak PIN. Control: When this policy is enabled, Crescendo Manager and other Crescendo family tools will not allow the user to select a PIN that is overly simple.
Note: This policy is enforced by the software only; therefore, a weak PIN may still be set using, e.g., the APDU Access tool. -
FIDO Fast IDentity Online. A security standard used for online authentication, based on a cryptographic key pair unique to each online service. For more information, visit https://fidoalliance.org/how-fido-works/ Shared PIN: If this policy is enabled, any changes to the token PIN will also update the FIDO PIN, and vice versa. If disabled, the FIDO and token PINs remain separate.
Note: This policy is available only for the Crescendo 4000 family and can only be set during the Personalize action.Tip! To learn more about using Crescendo FIDO, visit the HID Crescendo FIDO webpage.

Clear Cache
For enhanced performance, Crescendo Manager internally caches the state of the connected tokens (including token properties, certificates, keys, OTPs, etc.).
Additionally, since Crescendo Manager communicates with devices via Crescendo Minidrivers (one for the Crescendo 2300 family and one for the Crescendo 4000 family), these components also create cache externally to Crescendo Manager.
This action clears both the Minidriver and Crescendo Manager caches for the selected token. This is particularly useful in rare instances when the device's internal state (cache), as recorded by Crescendo Manager, becomes invalid due to external programs communicating with the device or because of an internal error. The Clear Cache functionality is designed to resolve such inconsistencies by reloading the device state.
To clear a token's caches:
-
Navigate to the Devices view and click the kebab menu button
in the top-right corner of the token's interface.
-
Click Clear Cache.
-
The caches for the selected token will be cleared.

Recycle Device
This action resets the token configuration to its original state, as it was when it left manufacturing.
Recycling a Token
To recycle a token:
-
Navigate to the Devices view and click the kebab menu button
in the top-right corner of the token's interface.
-
Select Recycle Device.
-
Authenticate to confirm this action.
The token will be reset to factory settings. To start using the token, you have to personalize it.
Personalizing a Token
If a token is in factory settings (e.g., after being recycled), you must personalize it before you can start using it.
To personalize a token:
-
Click the Personalize link on the token tile in the Devices view.
-
In the Personalize dialog, click the PIN Policies dropdown to configure PIN policies for the token and set the PIN.
-
Click Submit.