Users who will receive on-demand tokencodes must be enabled for on-demand authentication (ODA). When a user is enabled, you can specify a delivery method for the tokencodes, the length of time that the user can request on-demand tokencodes, and whether users can set initial PINs using the Self-Service Console. For instructions, see Enable On-Demand Authentication for a User.
An administrator can clear a PIN that is forgotten, expired, or compromised, and then provide a temporary PIN to the user. An administrators can require PIN changes. For more information, see PINs for On-Demand Authentication.