PIN Expiry How to Guide

From Swivel Knowledgebase Wiki

Contents 1 Overview 2 PIN Expiry Setting 3 PIN Expiry related settings 3.1 PIN expiry warning (days) 3.2 PIN Expiry Check 3.3 Auto-reset PIN on expiry 3.4 PIN change grace period (days): 3.5 Only warn user, do not lock account 3.6 PIN Expiry exemption 4 PIN Expiry Implementation 5 PIN Expiry Troubleshooting 5.1 Error Messages

Overview

PINsafe has a PIN expiry feature which allows PIN numbers to expire and not be usable after a certain length of time or to resend a new PIN. This document explains how the PIN Expiry feature works

PIN Expiry Setting

PIN Expiry is a global setting affecting all users on the PINsafe instance. To change the PIN Expiry setting, on the PINsafe Administration Console select Policy then PIN and OTC.

PIN expiry (days): Default 0. A value in days that the PIN will expire if the account does not have a successful login.

PIN Expiry related settings

PIN expiry warning (days)

This option allows the user to be notified in advance that their PIN number should changed.

PIN expiry warning (days): Default 7

How often the PIN expiry reminder is sent to the user is determined by the PIN expiry check located under Server then Jobs.

PIN Expiry Check

This is how often users are checked for expired PIN numbers. Each time it is run it will check for expired PIN numbers, and if it is within the PIN expiry warning period, the user is notified it must be changed. To change how often PIN expiry messages are sent change this value.

Note: If this value is set to 0 days, users will not be given any notice of PIN expiry.

Note: A users PIN may expire at a time before the PIN expiry check becoming locked but not being marked as locked, the account may only become marked as locked when the PIN expiry check is run.

Auto-reset PIN on expiry

The user can be automatically sent a new PIN number when the PIN expires. A transport will need to be setup to send the user a PIN number, see Transport Configuration.

To change the PIN Expiry setting, on the PINsafe Administration Console select Policy then PIN and OTC.

Auto-reset PIN on expiry: Default: No, Options Yes/No

PIN change grace period (days):

The grace period only applies to users that have become locked because their PIN has expired and then the user account is unlocked. This option gives users an additional period to change their PIN before the account becomes locked again. Users whose account has become locked because of too many wrong login attempts are not affected by this.

PIN change grace period (days): Default 0

Only warn user, do not lock account

This options allows the user to be told that they should change their PIN. but does not lock the users account.

Only warn user, do not lock account:, Default: No, Options Yes/No

PIN Expiry exemption

Certain users can be exempted from PIN expiry by selecting PIN never expires: option located under User Administration, select the required user, then click on policy.

PIN Expiry Implementation

If PIN Expiry is to be applied to an existing PINsafe instance, all users that have not had their PIN changed within the PIN expiry value will have their accounts locked. Therefore a process of warning users and not enforcing the PIN change for a certain period or using Auto-reset PIN on expiry may be suitable.

Users who are required to Change their PIN should have available a method of changing their PIN, for more information see the ChangePIN How to Guide

PIN Expiry Troubleshooting

Error Messages

Access-Request(1) LEN=192.168.1.1.:12685: Access-Request by username Failed: AccessRejectException: AGENT_ERROR_PIN_EXPIRED

Login failed for user; username, error The user's PIN has expired

User "username" has been locked, reason: The users's PIN has expired.

This is the sequence of messages for an expired PIN