There are various ways to do it.
How the system is designed is: Users set up their own pin so no one else knows what it is (more secure).
Normally, there is no pin at the beginning, and the first device the user logs into will prompt the user
to set up a new pin once the tokencode alone works for a login attempt.
If you allow token provisioning on the self service console, one option there is that users can set up
a new pin ahead of time. So, on first use of the token they just use the pin+tokencode first time.
A workaround for an administrator to set up a pin for a user ahead of time, without the user
being involved, could be:
-assign a token to a user
-generate an emergency tokencode for that token
-the admin can log into self-service or security console as that userid and emergency code
-the emergency code login will ask to set up a new pin if the token was in new pin mode
-once you set the pin using the emergency code, that same pin applies to the token itself
AMBA can also be configured to set pins for tokens. Any command that can edit/assign a token and
also has the SetPin capability. *AUP has SetPin also but that is for a fixed passcode, not a token.
AMBA CPS (change pin status) explicitly just manages pins for assigned tokens..
Change PIN Status provides the following functionality:
-Clear the PIN associated with the specified token serial. The token will automatically
be placed in new PIN mode.
-Set the PIN associated with the specified token serial to an explicit value.
-Force the specified token serial into new PIN mode.
