Users must have a PIN for on-demand authentication (ODA). These PINs are governed by the user’s security domain PIN policy. Be aware of the following tasks related to PINs for ODA:
Setting a PIN
Users can set initial PINs using the Self-Service Console. If you want users to do this, you must configure this option when you configure ODA for the user. If you do not want users to set their initial PINs, you can use the Security Console to set users’ initial PINs.
Clearing a PIN
You might clear a PIN that is forgotten, expired, or compromised. If you clear a user’s PIN, you must assign the user a temporary PIN before the user can attempt to log on to a resource protected with ODA. Use the Security Console to clear a PIN and provide the temporary PIN to the user.
Changing a PIN
Users who are enabled for ODA can change their ODA PINs after logging on to the Self-Service Console or during authentication. Users need to change their PINs when the PINs expire or when you force a PIN change. You might force a PIN change when you think that the PIN is compromised. If you want to force a PIN change, use the Security Console to clear the user’s PIN and set a temporary PIN.