Manage PINs for Approve and Device Biometrics Authentication

After you use the Security Console wizard to connect to Cloud Access Service (CAS), Approve and Device Biometrics authentication on legacy authentication agents requires the user to enter a username and PIN.

The RSA SecurID Token PIN, the Approve PIN, and Device Biometrics PIN are the same for the initial Approve or Device Biometrics authentication. A user can change the PINs later and have an RSA SecurID Token PIN and a different PIN for Approve and Device Biometrics. Approve and Device Biometrics always use the same PIN. See Using PINs During the First Approve or Device Biometrics Authentication on RSA Community for information on PIN usage during the user's first authentication.

Clearing User PINs for Approve and Device Biometrics Authentication

When a user forgets the PIN to use for Approve or Device Biometrics authentication, you can clear the PIN so the user can create a new PIN in the Self-Service Console, or the next time the user authenticates.

For more information, see Clear an RSA SecurID PIN and Clear an RSA SecurID PIN in the User Dashboard.

Requiring Users to Change Their PINs for Approve and Device Biometrics

When you require a user to change a PIN for Approve and Device Biometrics, the user is prompted to create a new PIN after successfully authenticating with either method. The user can also change the PIN in the Self-Service Console

If the current PIN has been compromised, require the user to change the PIN. If a user has forgotten the PIN, clear the PIN so the user can set a new PIN.

For more information, see Require Users to Change Their RSA SecurID PINs and Use the User Dashboard to Require PIN Changes.