PIN Security How To Guide
Contents
- 1 Overview
- 2 PIN Policy
- 3 Account Lockout
- 4 PIN delivery Security
- 5 Initial/Default PIN numbers
- 6 Minimum PIN Size
Overview
PINsafe provides a number of ways to ensure that PIN numbers are effectively and securely used.
- PIN is never typed directly into the keyboard
- PIN extraction to generate a One Time Code
- PIN policy prevents repeated PIN digits
- PIN policy prevents sequences of numbers being used
- Minimum PIN length of 4 numbers
- Randomly generated PIN number
- ChangePIN utility to securely allow a user to change a PIN number
- ResetPIN utility for lost and forgotten PIN numbers to perform a PIN reset
- Use of one channel for security string and another channel or method for the PIN number
For information on using an OTC without PIN protection see PINless How To Guide
PIN Policy
The following security policies may be used to enhance PIN security.
Account Lockout
Where an attempt has been made to log into an account several times, the account may be locked after a set number of attempts.
Maximum Repeated Digits
Used with ChangePIN
This is the permitted sum of all repeated digits.
0 = No repeated digits, Example: 7204 is permitted 6260 is not permitted.
1 = One Digit may be repeated once, Example 7202 is permitted 3833 is not permitted, and 1122 is not permitted as 1 is repeated once and 2 repeated once giving a total of two repeated digits.
Do Not Allow Number Sequences
Used with ChangePIN
This option prevents users from having numeric sequences in their PIN number, such as 1234, 2468, 7654, 1357.
The following are not treated as sequences: 1123, 8901.
Banned Credentials
Used with ChangePIN
PINsafe 3.8 introduces banning of custom PIN numbers.
For example 19?? stops the creation of PIN numbers beginning with 19
PIN Expiry
The PIN number can be optionally set to expire after a certain length of time, see also PIN Expiry How to Guide. The following actions may be taken depending on the configuration used:
Account Lockout
Account becomes locked preventing its use.
Automatically Resend New PIN
This option allows a new random PIN number is sent to the user when the current PIN number has expired.
ChangePIN on login or ChangePIN after Admin Reset or on First Login
When this is set the user receives a notification that their PIN must be changed. If they do not change their PIN, the the account will become locked and not allow the next attempted login. Using RADIUS or Agent-XML the user can be redirected to a ChangePIN page when required to Change their PIN, see also ChangePIN How to Guide.
PIN Change Grace Period
The grace period only applies to users that have become locked because their PIN has expired and then the user account is unlocked. This option gives users an additional period to change their PIN before the account becomes locked again. Users whose account has become locked because of too many wrong login attempts are not affected by this.
PIN Notifications
- User must Change their PIN
- A PIN number has changed
Helpdesk User cannot Reset PIN
This option prevents the helpdesk user from setting a PIN number to a known value for an account, see also Helpdesk Configuration Guide.
Static Passwords
PINsafe can use a static passwod in addition to a One Time Code. The static password may be used to make shoulder surfing technques less effective due to the length of the OTC and Password. When a PINsafe password is set for a user, it must be used, see Password How to Guide.
PIN delivery Security
PIN Transport
The PIN number can be configured to be delivered in a different method to the security string.
Require Change of PIN
The user may be required to change their PIN on their first login.
Initial/Default PIN numbers
Although possible, setting initial default PIN numbers is not recommended, but a randomly generated PIN is more secure.
Minimum PIN Size
The default PIN size is 4 digits. Increasing this may make it more difficult for users to remember. For security reasons the PIN can be used with a static password.
Changing Minimum PIN Size
Changing the minimum PIN size will not affect existing PIN users unless a new PIN is sent to them or they perform a change PIN.