On-demand tokencodes always require a PIN. As a result, an administrator cannot clear the PIN of a user with an on-demand tokencode without assigning a temporary PIN. The user experience of changing the PIN of an on-demand tokencode depends on the method used to request the tokencode.
For a tokencode requested through an authentication agent or RADIUS client:
The user attempts to access a protected resource, and the agent prompts the user to enter a User ID and passcode.
When prompted for the passcode, the user enters the current PIN, which could be an expiring PIN or a temporary PIN assigned by the administrator.
The agent prompts the user to enter a new PIN and to confirm the new PIN.
The user enters a new PIN and confirms the new PIN.
The agent prompts the user to enter a passcode.
The user enters the new PIN.
Authentication Manager sends the on-demand tokencode to the user.
When the agent prompts the user for next tokencode, the user enters the received on-demand tokencode.