Perform PIN Unblock

Anthony - Versasec Support
Anthony - Versasec Support
  • Updated

Introduction

There are several ways that a managed credential’s PIN code can be reset (a PIN reset is also commonly referred to as PIN unblock). A managed credential here refers to credentials that are issued to end users or operators from vSEC:CMS. Operators here refer to persons who are issued with Operator Credentials (OC) that can log onto the vSEC:CMS Agent or Admin application.

Note
For System Owner (SO) token the reset/unblock procedure is different. Refer to the section Unblock System Owner Token below for details on how to reset the SO PIN.

This article will describe the different ways that a PIN can be reset with vSEC:CMS. We will break this article into Online PIN Reset and Offline PIN Reset sections.

Online means that the credential in question being reset is connected (online) to the vSEC:CMS.

Offline means there is no connection from the credential to vSEC:CMS. In this case a challenge/response operation will need to be performed when unblocking the PIN (typically this involves contacting a helpdesk person).

Online PIN Reset

In an online scenario the credential whose PIN is being reset needs to be connected to vSEC:CMS. This can be either through the vSEC:CMS User application, vSEC:CMS Credential Provider (vSEC:CMS CP) or the vSEC:CMS Agent or Admin application.

Reset via vSEC:CMS User

A credential can be reset via the vSEC:CMS User application if the credential template has been configured to allow for this. This means that at minimum it will need to have vSEC:CMS User support enabled. Select a template from Templates - Card Templates and click the Edit button. Then from the General section make sure that at minimum you have enabled Self-service using the following template and selected a template from the drop-down list.

The selected template should have at minimum Enable selected like below.

From this dialog you can configure whether the challenge/response for PIN unblock should be enforced OR whether the end user can decide to use online unblock or challenge/response. If you wish to enforce challenge/response then select the Use smartcard for PIN Unblock.

Untitled.png

If you want to allow the end user have online or challenge/response available select the checkbox User can choose smartcard challenge/response.

Untitled.png

Additionally, the vSEC:CMS User connection needs to be already configured both on the server (under Options - Connections) and on the client. See the article Manage Hardware Credentials using vSEC:CMS User Self-Service for example how this configuration would be set up.

Presuming your environment is configured correctly, on a client open the vSEC:CMS User application. Then from My PIN - Unblock PIN (Crypto) you should be able to perform the PIN reset. Depending on how you configure this in your environment different methods of authenticating the user before the PIN reset is allowed to take place will be presented. During the PIN reset a challenge-response will be performed in the background to reset the PIN.

Untitled.png

Reset via vSEC:CMS CP

A credential can be reset via the vSEC:CMS CP if the credential template has been configured to allow for this and the vSEC:CMS CP has been installed using the client MSI (see the article Installing the vSEC:CMS User Application for details). This means that at minimum it will need to have vSEC:CMS User support enabled. Select a template from Templates - Card Templates and click the Edit button. Then from the General section make sure that at minimum you have enabled Self-service using the following template and selected a template from the drop-down list.

The selected template should have at minimum Enable selected like below.

Additionally, the vSEC:CMS User connection needs to be already configured both on the server (under Options - Connections) and on the client. See the article Manage Hardware Credentials using vSEC:CMS User Self-Service for example how this configuration would be set up.

Presuming your environment is configured correctly and your client is online, i.e. the client can communicate with the vSEC:CMS server, then from Windows logon screen select the Unblock PIN with vSEC:CMS USS option to perform the PIN reset.

On clicking the unblock option you should get something similar to below. What authentication options you get will depend on what options you configured on the credential template. During the PIN reset a challenge-response will be performed in the background to reset the PIN.

Reset via OC

If the end user is physically able to visit an Operator who has access to the vSEC:CMS Agent or Admin console and is allowed to perform PIN resets then follow the instructions here to perform PIN reset.

From the Agent application navigate to PIN Unblock tab (or from the Admin application navigate to Actions - Smart Card Unblock) and attach the credential that is to be reset and ask the user to enter a new PIN and confirm in the fields provided to reset the PIN.

Untitled.png

Offline PIN Reset

In an offline scenario the credential whose PIN is being reset will be disconnected from vSEC:CMS. This scenario normally involves interaction with a helpdesk person to complete the PIN reset.

Reset via vSEC:CMS User

In this scenario the user will need to contact a helpdesk person to assist with the reset. From the PIN - Unblock PIN (Crypto) page you should see something similar to below. The user should select the correct reader that the credential is inserted into and click the Get button to generate the challenge code.

Untitled.png

The challenge code should be provided to the helpdesk person. From the Agent application the helpdesk person then needs to navigate to PIN Unblock tab (from the Admin application they need to navigate to Actions - Smart Card Unblock) and click the Search button and select the user whose credential is to be reset. Then manually enter the challenge code as provided by the user and click the Cryptogram button to generate the reset code.

Untitled.png

This code should then be provided back to the user who should enter this into the field provided and set a new PIN to complete.

Untitled.png

Important
There is a one-to-one relationship between the challenge code and the generated cryptogram and the card session that the challenge code was generated with. If, for example, the credential in the reader of the user was removed before entering the cryptogram then the challenge-response would be invalidated.
Note
The 4 character digits that you will see to the right of the challenge and cryptogram fields are checksum values that can be useful to ensure that the correct challenge-response values are entered correctly when user and helpdesk persons are exchanging these details.

Reset via vSEC:CMS Credential Provider

In this scenario the user will need to contact a helpdesk person to assist with the reset.

Presuming your environment is configured correctly and your client is offline, i.e. the client cannot communicate with the vSEC:CMS server, then from Windows logon page select the Unblock PIN with vSEC:CMS USS option to perform the PIN reset.

Note
The vSEC:CMS CP will need to be installed on the client. See the article Installing the vSEC:CMS User Application for details on this.

On clicking the unblock option you should get something similar to below. The user should select the correct reader that the credential is inserted into and click the Get button to generate the challenge code.

The challenge code should be provided to the helpdesk person. From the Agent application the helpdesk person then needs to navigate to PIN Unblock tab (from the Admin application they need to navigate to Actions - Smart Card Unblock) and click the Search button and select the user whose credential is to be reset. Then manually enter the challenge code as provided by the user and click the Cryptogram button to generate the reset code.

Untitled.png

This code should then be provided back to the user who should enter this into the field provided and set a new PIN to complete.

Important
There is a one-to-one relationship between the challenge code and the generated cryptogram and the card session that the challenge code was generated with. If, for example, the credential in the reader of the user was removed before entering the cryptogram then the challenge-response would be invalidated.
Note
The 4 character digits that you will see to the right of the challenge and cryptogram fields are checksum values that can be useful to ensure that the correct challenge-response values are entered correctly when user and helpdesk persons are exchanging these details.

Reset via Windows Credential Provider

It is possible to perform PIN resets using challenge-response from the native Windows Credential Provider (CP). By default, the integrated PIN reset screen is not available in Windows CP. To activate it, you have to enable the group policy Allow Integrated Unblock screen to be displayed at the time of logon. You can do this from gpedit and from the setting located in Computer Configuration\Administrative Templates\Windows Components\Smart Card enable the setting.

When a use tries to log onto their client and their credential PIN is blocked a message similar to below will be presented.

On clicking Ok the user will be presented with a screen similar to below. The challenge code will be automatically generated (the code starting 1DE9… in below example).

The challenge code should be provided to the helpdesk person. From the Agent application the helpdesk person then needs to navigate to PIN Unblock tab (from the Admin application they need to navigate to Actions - Smart Card Unblock) and click the Search button and select the user whose credential is to be reset. Then manually enter the challenge code as provided by the user and click the Cryptogram button to generate the reset code.

Untitled.png

This code should then be provided back to the user who should enter this into the field provided (Response) and set a new PIN to complete the reset.

Important
There is a one-to-one relationship between the challenge code and the generated cryptogram and the card session that the challenge code was generated with. If, for example, the credential in the reader of the user was removed before entering the cryptogram then the challenge-response would be invalidated.

Unblock System Owner Token

The System Owner (SO) token is unique to each vSEC:CMS installation. Only one SO token will exist per vSEC:CMS installation. If this token is blocked follow the instructions here to unblock this token.

1. When you attempt to log on with the SO token that is blocked an unblock dialog is presented. The operator token serial number and challenge code will be displayed.

2. The person using the SO token will need to know the unblock key for the SO token. Click the Get button which will open a new dialog. The unblock key should be entered into the field provided and the Calculate cryptogram button should be clicked.

This will automatically generate a cryptogram (unblock code) and a new PIN (passcode) can be set.

Important
The unblock key value would have been set and recorded during the initialization of the vSEC:CMS on first use. If this key was not securely recorded at this time it will not be possible to unblock this token.