PIN Security How To Guide

Overview

PINsafe provides a number of ways to ensure that PIN numbers are effectively and securely used.

• PIN is never typed directly into the keyboard
• PIN extraction to generate a One Time Code
• PIN policy prevents repeated PIN digits
• PIN policy prevents sequences of numbers being used
• Minimum PIN length of 4 numbers
• Randomly generated PIN number
• ChangePIN utility to securely allow a user to change a PIN number
• ResetPIN utility for lost and forgotten PIN numbers to perform a PIN reset
• Use of one channel for security string and another channel or method for the PIN number

For information on using an OTC without PIN protection see PINless How To Guide

PIN Policy

The following security policies may be used to enhance PIN security.

Account Lockout

Where an attempt has been made to log into an account several times, the account may be locked after a set number of attempts.

Maximum Repeated Digits

Used with ChangePIN

This is the permitted sum of all repeated digits.

0 = No repeated digits, Example: 7204 is permitted 6260 is not permitted.

1 = One Digit may be repeated once, Example 7202 is permitted 3833 is not permitted, and 1122 is not permitted as 1 is repeated once and 2 repeated once giving a total of two repeated digits.

Do Not Allow Number Sequences

Used with ChangePIN

This option prevents users from having numeric sequences in their PIN number, such as 1234, 2468, 7654, 1357.

The following are not treated as sequences: 1123, 8901.

Banned Credentials

Used with ChangePIN

PINsafe 3.8 introduces banning of custom PIN numbers.

For example 19?? stops the creation of PIN numbers beginning with 19

PIN Expiry

The PIN number can be optionally set to expire after a certain length of time, see also PIN Expiry How to Guide. The following actions may be taken depending on the configuration used:

Account Lockout

Account becomes locked preventing its use.

Automatically Resend New PIN

This option allows a new random PIN number is sent to the user when the current PIN number has expired.

ChangePIN on login or ChangePIN after Admin Reset or on First Login

When this is set the user receives a notification that their PIN must be changed. If they do not change their PIN, the the account will become locked and not allow the next attempted login. Using RADIUS or Agent-XML the user can be redirected to a ChangePIN page when required to Change their PIN, see also ChangePIN How to Guide.

PIN Change Grace Period

The grace period only applies to users that have become locked because their PIN has expired and then the user account is unlocked. This option gives users an additional period to change their PIN before the account becomes locked again. Users whose account has become locked because of too many wrong login attempts are not affected by this.

PIN Notifications

• User must Change their PIN
• A PIN number has changed

Helpdesk User cannot Reset PIN

This option prevents the helpdesk user from setting a PIN number to a known value for an account, see also Helpdesk Configuration Guide.

Static Passwords

PINsafe can use a static passwod in addition to a One Time Code. The static password may be used to make shoulder surfing technques less effective due to the length of the OTC and Password. When a PINsafe password is set for a user, it must be used, see Password How to Guide.

PIN delivery Security

PIN Transport

The PIN number can be configured to be delivered in a different method to the security string.

Require Change of PIN

The user may be required to change their PIN on their first login.

Initial/Default PIN numbers

Although possible, setting initial default PIN numbers is not recommended, but a randomly generated PIN is more secure.

Minimum PIN Size

The default PIN size is 4 digits. Increasing this may make it more difficult for users to remember. For security reasons the PIN can be used with a static password.

Changing Minimum PIN Size

Changing the minimum PIN size will not affect existing PIN users unless a new PIN is sent to them or they perform a change PIN.