PINs for On-Demand Authentication

Users must have a PIN for on-demand authentication (ODA). These PINs are governed by the user’s security domain PIN policy. Be aware of the following tasks related to PINs for ODA:

• Setting a PIN

  Users can set initial PINs using the Self-Service Console. If you want users to do this, you must configure this option when you configure ODA for the user. If you do not want users to set their initial PINs, you can use the Security Console to set users’ initial PINs.

• Clearing a PIN

  You might clear a PIN that is forgotten, expired, or compromised. If you clear a user’s PIN, you must assign the user a temporary PIN before the user can attempt to log on to a resource protected with ODA. Use the Security Console to clear a PIN and provide the temporary PIN to the user.

• Changing a PIN

  Users who are enabled for ODA can change their ODA PINs after logging on to the Self-Service Console or during authentication. Users need to change their PINs when the PINs expire or when you force a PIN change. You might force a PIN change when you think that the PIN is compromised. If you want to force a PIN change, use the Security Console to clear the user’s PIN and set a temporary PIN.

For instructions on how to require users to set their initial PIN, see On-Demand Authentication with an Authentication Agent or a RADIUS Client. For instructions on how to clear a temporary PIN and force users to change their initial PIN, see Set a Temporary On-Demand Tokencode PIN for a User.