A personal identification number (PIN) is a numeric password used to authenticate a user.
To increase security, you can set the token policy to require users to create PINs containing both letters and numbers and to change their PINs at regular intervals. See Token Policy.
Misplaced or stolen PINs puts protected resources at risk. For this reason, you should instruct users to report compromised PINs as soon as possible.
When a user reports a compromised PIN, you can require the user to change his or her PIN after the next successful authentication.
When a user is required to change a PIN, the user must know his or her current PIN. To change a PIN, the user authenticates using the existing PIN and tokencode. After successfully authenticating, the user is prompted to create and confirm a new PIN, and the PIN is associated with the user’s token.
For example, suppose a user reports that she used her computer at a local coffee shop, and now she is worried that someone may have seen her type her PIN. After you receive the report, you use the Security Console to require the user to change her PIN. For instructions, see Require Users to Change Their RSA SecurID PINs.
The token policy may require the user to use a system-generated PIN instead of creating one. After the next authentication, the system provides the user with a new, system-generated PIN. The user then authenticates again using the new, system-generated PIN.
If users forget their PINs, you cannot require them to change their PINS in order to obtain a new one because users need to know their PINs in order to change them. Do the following:
- Users with RSA SecurID 800 authenticators need a PIN unlocking key. You, the administrator, must provide this information. For instructions, see Obtain the PIN Unlocking Key for an RSA SecurID 800 Authenticator .
- When a user forgets his or her PIN, you must clear the PIN before the user can create a new one. For instructions, see, Clear an RSA SecurID PIN..
Users can also use Self-Service to reset their PINs.
Note: On-demand authentication (ODA) users also require PINs. For more information, see PINs for On-Demand Authentication.