PIN Expiry How to Guide
Contents
Overview
Swivel has a PIN expiry feature which allows PIN numbers to expire and not be usable after a certain length of time or to resend a new PIN. This document explains how the PIN Expiry feature works
PIN Expiry Setting
PIN Expiry is a global setting affecting all users on the Swivel instance and is located under Policy\PIN and OTC. To change the PIN Expiry setting, on the Swivel Administration Console select Policy then PIN and OTC.
PIN expiry (days): Default 0. A value in days that the PIN will expire if the PIN is not changed. A value of 0 disables PIN expiry.
The PIN expiry time is reset after the following:
- ChangePIN
- Reset PIN from the Admin/helpdesk
- Resend PIN from the Admin/helpdesk
- ResetPIN from the ResetPIN utility
PIN expiry after auto/admin reset (days):
PIN expiry after auto/admin reset (days): default 0 (Disabled). The requirement for a user to change their PIN following its automatic setting by the server. A user's PIN may be set automatically in two situations: during their initial import into the user population and during a self-reset. Enabling this option requires the user to change their PIN following either of these events. The user may be informed of this requirement via an alert or by an agent that supports the display of warnings to the user.
PIN expiry warning (days)
This option is located under Policy\PIN and OTC and allows the user to be notified in advance that their PIN number should changed.
PIN expiry warning (days): Default 7
How often the PIN expiry reminder is sent to the user is determined by the PIN expiry check located under Server then Jobs. Also when Auto-reset PIN on expiry is used, this is how far in advance that the new PIN is sent out, if it is set 0 then no new PIN will be sent.
PIN Expiry Check
This is located under Server\Jobs and is how often users are checked for expired PIN numbers. Each time it is run it will check for expired PIN numbers, and if it is within the PIN expiry warning period, the user is notified it must be changed. To change how often PIN expiry messages are sent change this value. For information on creating custom schedules see Schedule.
Note: If this value is set to 0 days, users will not be given any notice of PIN expiry.
Note: A users PIN may expire at a time before the PIN expiry check becoming locked but not being marked as locked, the account may only become marked as locked when the PIN expiry check is run.
Auto-reset PIN on expiry
The user can be automatically sent a new PIN number when the PIN expires. This option is located under Policy\PIN and OTC. A transport will need to be setup to send the user a PIN number, see Transport Configuration. The PIN Expiry Warning will determine how far in advance the new PIN is sent out before expiry, and if this is set to 0 then no new PIN is sent out.
To change the PIN Expiry setting, on the Swivel Administration Console select Policy then PIN and OTC.
Auto-reset PIN on expiry: Default: No, Options Yes/No
PIN change grace period (days):
The grace period only applies to users that have become locked because their PIN has expired and then the user account is unlocked. This option is located under Policy\PIN and OTC and gives users an additional period to change their PIN before the account becomes locked again. Users whose account has become locked because of too many wrong login attempts are not affected by this.
PIN change grace period (days): Default 0
Only warn user, do not lock account
This option is located under Policy\PIN and OTC and allows the user to be told that they should change their PIN. but does not lock the users account.
Only warn user, do not lock account:, Default: No, Options Yes/No
PIN Expiry exemption
Certain users can be exempted from PIN expiry by selecting PIN never expires: option located under User Administration, select the required user, then click on policy.
PIN Expiry Implementation
If PIN Expiry is to be applied to an existing Swivel instance, all users that have not had their PIN changed within the PIN expiry value will have their accounts locked. Therefore a process of warning users and not enforcing the PIN change for a certain period or using Auto-reset PIN on expiry may be suitable.
Users who are required to Change their PIN should have available a method of changing their PIN, for more information see the ChangePIN How to Guide
PIN Expiry Troubleshooting
Known Issues
Swivel 3.10 to 3.10.4 - A user is sent a new PIN instead of a warning that their PIN is about to expire. To overcome this, update to a more recent version or increase the PIN expiry by the PIN expiry warning period, although the user will not receive a warning message.
Swivel 3.9.1 to 3.9.5 the PIN expiry may fail if the user has never reset their PIN. Upgrade to a version later than 3.9.5.
PIN expiry messages are not sent to users in some versions of 3.5 to 3.8. This is fixed in Swivel version 3.9.
Error Messages
Access-Request(1) LEN=192.168.1.1.:12685: Access-Request by username Failed: AccessRejectException: AGENT_ERROR_PIN_EXPIRED
Login failed for user; username, error The user's PIN has expired
User "username" has been locked, reason: The users's PIN has expired.
This is the sequence of messages for an expired PIN
ERROR - Job (DEFAULT.PIN_EXPIRY threw an exception
ERROR - Job (DEFAULT.PIN_EXPIRY threw an exception. org.quartz.SchedulerException: Job threw an unhandled exception. [See nested exception: java.lang.NullPointerException] at org.quartz.core.JobRunShell.run(JobRunShell.java:206) at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:520) * Nested Exception (Underlying Cause) --------------- java.lang.NullPointerException at java.util.Calendar.setTime(Unknown Source) at com.swiveltechnologies.pinsafe.server.policy.PinExpiry.doCheckExpiry(PinExpiry.java:159) at com.swiveltechnologies.pinsafe.server.policy.PinExpiry.execute(PinExpiry.java:225) at org.quartz.core.JobRunShell.run(JobRunShell.java:195) at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:520)
This error has been seen in Swivel versions 3.93, and is resolved in 3.9.4. It only affects systems where the grace period has been set to a value other than 0. Setting the grace period to 0 prevents this issue from occurring.