After you use the Security Console wizard to connect to the cloud, Approve authentication on legacy authentication agents requires the user to enter a username and PIN. See Set User Expectations for Device Registration and Authentication for information on PIN usage during the user's first authentication.
Clearing User PINs for Approve
When a user forgets the PIN they use for Approve authentication, you can clear the PIN so that the user can create a new one. After you clear the PIN, the user can create a new PIN in the Self-Service Console, or the next time the user authenticates. For instructions, see Clear an RSA SecurID PIN and Clear an RSA SecurID PIN in the User Dashboard.
Requiring Users to Change Their PIN for Approve
When you require a user to change a PIN for Approve, the user is prompted to create a new PIN after successfully authenticating with Approve. The user can also change the PIN in the Self-Service Console.
You can require a PIN change only when a user knows the existing PIN. For example, you might require a user to change a PIN if the current PIN has been compromised. If a user has forgotten the PIN, clear the PIN.
Note: The RSA SecurID PIN and the Approve PIN are the same for the initial Approve authentication. A user can change the PINs later and have two different PINs.