How can we help?

PIN Policy Configuration

Anders Adolfsson - Versasec
Anders Adolfsson - Versasec
  • Updated

Introduction

A PIN is a private code. It can be a sequence of numeric or alphanumeric characters or a mix of the two and is used as a factor (something you know) when authenticating with a credential in a 2FA scenario. The PIN must be verified before you can perform security tasks with the credential, such as logon to a workstation, or creating a digital signature. The PIN should be unique to the user's credential and known only to the user.

Important
The PIN policy that can be applied to a credential needs to adhere to what is allowed on the credential. Different credentials allow different PIN policy configurations to be applied. Therefore, it is required that any PIN policy that is to be applied to a credential is supported on it. The credential vendor documentation will define what PIN policy settings are supported on it.
It is recommended to test applying the PIN policy you wish to enforce during the setup/testing phase to ensure that the credential you use will support the policy you are applying.

In vSEC:CMS you can configure a PIN policy that can then be applied to the credential during the issuance process. This article will describe the different PIN policy configurations available for the different credentials supported by vSEC:CMS.

PIN Policy Settings

You can configure PIN policy settings from Templates - PIN Policies. Alternatively you can configure them from inside the template (Templates - Card Templates) in the Issue Card section under the Primary Card PIN Options section.

Generic Minidriver Smart Cards

For generic minidriver credentials a generic PIN policy template can be created and set on these credentials. From the Templates - PIN Policies page, click the Add button. Enter a template name and from the Card type select the available type.

Enable Smart card managed PIN policies check box to allow for PIN policies to be defined that can then be set on the credential during the issuance process.

Enable the Block card after policy update if it is required to block the user credential after setting the PIN policy to the credential. Enable the Update tries left counter and set a value for the counter to configure the number of consecutive PIN entry attempts allowed by the credential user before the PIN is blocked.

Enable Update AD password when changing card PIN if it is required to synchronize the PIN with the credential holders AD password. See the article Synchronize Credential PIN with Active Directory Password for more details on how this feature can be used.

Enable Server managed PIN policy if it is required to have PIN management tasks managed and triggered from the server-side. See the article Server Managed PIN Policy for more details on how this feature can be used.

Untitled.png

IDPrime .NET

For Thales IDPrime .NET a PIN policy template can be created and set on these credentials. From the Templates - PIN Policies page, click the Add button. Enter a template name and from the Card type select the .NET cards.

The Template name field can be changed as required to provide a descriptive name for the template policy.

The Card type field indicates the card types that the template can be applied to.

Enable Smart card managed PIN policies check box to allow for PIN policies to be defined that can then be set on the credential during the issuance process.

By enabling the Adjacent positions allowed check box a PIN which has repeated characters adjacent to one another will be allowed. Enter the number of allowed adjacent positions in the Allowed repetitions field. The value entered will set the number of times that a character can be repeated in adjacent positions. For example, if this value is set to 4 then 1111c1 and aaaa1a are allowed PIN values and 11111c and aaaaa1 are not allowed PIN values.

Note
The value set here cannot exceed Max appearance value that is configured in the field described below.

The Max appearance configures the PIN policy to set the allowed number of appearances of a character in a PIN but it is not possible to specify which character. For example, if the value for Max appearance is set to 2 then the PIN value 0001 would not be allowed whereas the PIN value 0011 would be allowed.

The Max length of sequence is the number of times that a sequence of characters is allowed, for example 1,2,3,4,5,6...For example, if this parameter is set to 4 then 1234c5 and abcd1e are allowed PIN values and 12345c and abcde1 are not allowed PIN values.

The Max repeated characters configure the PIN policy to set the number of different characters that can be repeated at least once. For example, if this value is set to 1 this means one character can be repeated but it is not possible to specify which one.

Enable the Block card after policy update checkbox to block the credential after the PIN policy is updated and applied to it, thereby requiring an unblock by the user on receipt of the credential.

The Update tries left counter configures the PIN policy to set the number of incorrect PIN entry attempts a user can attempt before the credential will be blocked.

For PIN length, the Min configures the PIN policy to set the minimum length that the credential PIN needs to be when the user is setting their PIN and the Max configures the PIN policy to set the allowed maximum length that the credential PIN can be when the user is setting their PIN.

Enable the Character set restrictions check box in order to be able to configure specific character combinations to be used when setting a PIN. If this checkbox is not enabled then all characters will be allowed to be used when setting a PIN.

If the Character set restrictions checkbox is enabled then it is possible to configure specific allowed characters when setting a PIN. These can be set to either Allowed or Mandatory or both. If Alphabetic uppercase is enabled then the PIN must contain an upper-case character. If Alphabetic lowercase is enabled then the PIN must contain a lower-case character. If None alphabetic is enabled then the PIN must contain a character that is neither numeric or alphabetic, for example, any of these characters would qualify in this case - !"£$%^&*(). If None Ascii is enabled then the PIN must contain a non-ascii character.

The Disable unblock checkbox configures the PIN policy, if enabled, such that if a user blocks their credential it will not be possible to unblock the credential using either administration key or PUC.

The Disable change will disable PIN change on the card, i.e. the policy will not allow the user to change the PIN.

Enable the Unblock using admin checkbox in order to be able to unblock a smart PIN using the administration key as set on the credential.

Enable the Unblock using PUC if it is required to set and use a PUC to unblock the credential.

The Support SSO check box configures the PIN policy, if enabled, to support the feature whereby a user needs to enter their PIN once only during a session as long as the credential is not removed.

The New PIN must differ checkbox configures the PIN policy, if enabled, to ensure that the new PIN entered is not the same as the previous PIN set on the credential.

The Secure PIN input is a feature introduced in Windows 7 for the user to securely enter their credential PIN.

The External PIN flags drop down list provides options for PIN pad readers if these are used. Leave the option as No flag if either a PIN pad reader is not used or you do not need to set specific flags if a PIN pad reader is used. Select the option No regular fallback which will result in the credential not being allowed to be used for Windows logon if the card reader is not a PIN pad reader. Select No auto PIN pad if it is allowed for the credential to be used for Windows logon with a PIN pad reader and the PIN type as set on the credential is regular PIN. Select No regular fallback + No auto PIN pad if it is required to meet both conditions as already described. Please note that the settings described here are specific to Thales ID Prime MD cards. If further details are required on these specific settings please consult with your Thales provider.

Enable Update AD password when changing card PIN if it is required to synchronize the PIN with the credential holders AD password. See the article Synchronize Credential PIN with Active Directory Password for more details on how this feature can be used.

Enable Server managed PIN policy if it is required to have PIN management tasks managed and triggered from the server-side. See the article Server Managed PIN Policy for more details on how this feature can be used.

Untitled.png

Safenet eToken

For eToken credentials a PIN policy template can be created and set on these credentials. From the Templates - PIN Policies page, click the Add button. Enter a template name and from the Card type select SafeNet eTokens.

Note
This PIN policy should only be used with eTokens that contain the eToken (Safenet) applet. There are other versions of eTokens that contain the IDPrime MD applet which in that case you should use the IDPrime MD PIN policy (see below for details on this).

The Template Name field can be changed as required to provide a descriptive name for the template policy.

The Card type field indicates the card types that the template can be applied to.

Enable Smart card managed PIN policies check box to allow for PIN policies to be defined that can then be set on the credential during the issuance process.

The Min Length configures the PIN policy to set the minimum length that the credential PIN needs to be when the user is setting their PIN.

The Min usage period is the minimum period before the PIN can be changed. The default setting is 0 (none).

The Max usage period is the maximum period before the PIN can be changed. The default setting is 0 (none).

The Expiry warning period is the number of days before the PIN expires that a warning message is shown. The default setting is 0 (none).

The Repeat count is the number of times the same character can be present in a PIN.

The Must meet complexity requirements can be set to ensure that the complexity requirements are required in the PIN. The following settings can be set:

  • None: complexity requirements are not enforced;
  • Auto: Can be included in the PIN, but is not mandatory (default);
  • Manual: complexity requirements, which can be set manually. For each of the character types (NumbersCapital charactersLowercase characters and Special characters) select one of the following options:

Allow: complexity requirements are enforced.

Forbid: Must not be included in the PIN;

Must: Must be included in the PIN.

The History size defines how many previous PINs should not be repeated.

Enable Update AD password when changing card PIN if it is required to synchronize the PIN with the credential holders AD password. See the article Synchronize Credential PIN with Active Directory Password for more details on how this feature can be used.

Enable Server managed PIN policy if it is required to have PIN management tasks managed and triggered from the server-side. See the article Server Managed PIN Policy for more details on how this feature can be used.

Untitled.png

Thales IDPrime MD

From the Templates - PIN Policies page, click the Add button. Enter a template name and from the Card type select IDPrime MD Smart Cards.

Enable Smart card managed PIN policies check box to allow for PIN policies to be defined that can then be set on the credential during the issuance process.

By enabling the Adjacent positions allowed check box a PIN which has repeated characters adjacent to one another will be allowed. Enter the number of allowed adjacent positions in the Allowed repetitions field. The value entered will set the number of times that a character can be repeated in adjacent positions. For example, if this value is set to 4 then 1111c1 and aaaa1a are allowed PIN values and 11111c and aaaaa1 are not allowed PIN values.

Note
The value set here cannot exceed Max appearance value that is configured in the field described below.

The Max appearance configures the PIN policy to set the allowed number of appearances of a character in a PIN but it is not possible to specify which character. For example, if the value for Max appearance is set to 2 then the PIN value 0001 would not be allowed whereas the PIN value 0011 would be allowed.

The Max length of sequence is the number of times that a sequence of characters is allowed, for example 1,2,3,4,5,6...For example, if this parameter is set to 4 then 1234c5 and abcd1e are allowed PIN values and 12345c and abcde1 are not allowed PIN values.

The Max repeated characters configure the PIN policy to set the number of different characters that can be repeated at least once. For example, if this value is set to 1 this means one character can be repeated but it is not possible to specify which one.

Important
The Block card after policy update flag is not supported by these card types. Therefore, this check box should not be enabled otherwise you will get an error during issuance if this flag is enabled.

The Update tries left counter configures the PIN policy to set the number of incorrect PIN entry attempts a user can attempt before the credential will be blocked.

For PIN length, the Min configures the PIN policy to set the minimum length that the credential PIN needs to be when the user is setting their PIN and the Max configures the PIN policy to set the allowed maximum length that the credential PIN can be when the user is setting their PIN.

Important
The Max PIN length supported for this card cannot be greater than 16.

Enable the Character set restrictions check box in order to be able to configure specific character combinations to be used when setting a PIN. If this checkbox is not enabled then all characters will be allowed to be used when setting a PIN.

If the Character set restrictions checkbox is enabled then it is possible to configure specific allowed characters when setting a PIN. These can be set to either Allowed or Mandatory or both. If Alphabetic uppercase is enabled then the PIN must contain an upper-case character. If Alphabetic lowercase is enabled then the PIN must contain a lower-case character. If None alphabetic is enabled then the PIN must contain a character that is neither numeric or alphabetic, for example, any of these characters would qualify in this case - !"£$%^&*(). If None Ascii is enabled then the PIN must contain a non-ascii character.

The Disable unblock checkbox configures the PIN policy, if enabled, such that if a user blocks their credential it will not be possible to unblock the credential using either administration key or PUC.

The Disable change will disable PIN change on the card, i.e. the policy will not allow the user to change the PIN.

Enable the Unblock using admin checkbox in order to be able to unblock a smart PIN using the administration key as set on the credential.

The Support SSO check box configures the PIN policy, if enabled, to support the feature whereby a user needs to enter their PIN once only during a session as long as the credential is not removed.

The New PIN must differ checkbox configures the PIN policy, if enabled, to ensure that the new PIN entered is not the same as the previous PIN set on the credential.

The Secure PIN input is a feature introduced in Windows 7 for the user to securely enter their credential PIN.

The External PIN flags drop down list provides options for PIN pad readers if these are used. Leave the option as No flag if either a PIN pad reader is not used or you do not need to set specific flags if a PIN pad reader is used. Select the option No regular fallback which will result in the credential not being allowed to be used for Windows logon if the card reader is not a PIN pad reader. Select No auto PIN pad if it is allowed for the credential to be used for Windows logon with a PIN pad reader and the PIN type as set on the credential is regular PIN. Select No regular fallback + No auto PIN pad if it is required to meet both conditions as already described. Please note that the settings described here are specific to Thales ID Prime MD cards. If further details are required on these specific settings please consult with your Thales provider.

Enable Update AD password when changing card PIN if it is required to synchronize the PIN with the credential holders AD password. See the article Synchronize Credential PIN with Active Directory Password for more details on how this feature can be used.

Enable Server managed PIN policy if it is required to have PIN management tasks managed and triggered from the server-side. See the article Server Managed PIN Policy for more details on how this feature can be used.

Untitled.png

Thales IDPrime Virtual

From the Templates - PIN Policies page, click the Add button. Enter a template name and from the Card type select IDPrime Virtual.

Enable Smart card managed PIN policies check box to allow for PIN policies to be defined that can then be set on the credential during the issuance process.

By enabling the Adjacent positions allowed check box a PIN which has repeated characters adjacent to one another will be allowed. Enter the number of allowed adjacent positions in the Allowed repetitions field. The value entered will set the number of times that a character can be repeated in adjacent positions. For example, if this value is set to 4 then 1111c1 and aaaa1a are allowed PIN values and 11111c and aaaaa1 are not allowed PIN values.

Note
The value set here cannot exceed Max appearance value that is configured in the field described below.

The Max appearance configures the PIN policy to set the allowed number of appearances of a character in a PIN but it is not possible to specify which character. For example, if the value for Max appearance is set to 2 then the PIN value 0001 would not be allowed whereas the PIN value 0011 would be allowed.

The Max length of sequence is the number of times that a sequence of characters is allowed, for example 1,2,3,4,5,6...For example, if this parameter is set to 4 then 1234c5 and abcd1e are allowed PIN values and 12345c and abcde1 are not allowed PIN values.

The Max repeated characters configure the PIN policy to set the number of different characters that can be repeated at least once. For example, if this value is set to 1 this means one character can be repeated but it is not possible to specify which one.

Important
The Block card after policy update flag is not supported by these card types. Therefore, this check box should not be enabled otherwise you will get an error during issuance if this flag is enabled.

The Update tries left counter configures the PIN policy to set the number of incorrect PIN entry attempts a user can attempt before the credential will be blocked.

For PIN length, the Min configures the PIN policy to set the minimum length that the credential PIN needs to be when the user is setting their PIN and the Max configures the PIN policy to set the allowed maximum length that the credential PIN can be when the user is setting their PIN.

Important
The Max PIN length supported for this card cannot be greater than 16.

Enable the Character set restrictions check box in order to be able to configure specific character combinations to be used when setting a PIN. If this checkbox is not enabled then all characters will be allowed to be used when setting a PIN.

If the Character set restrictions checkbox is enabled then it is possible to configure specific allowed characters when setting a PIN. These can be set to either Allowed or Mandatory or both. If Alphabetic uppercase is enabled then the PIN must contain an upper-case character. If Alphabetic lowercase is enabled then the PIN must contain a lower-case character. If None alphabetic is enabled then the PIN must contain a character that is neither numeric or alphabetic, for example, any of these characters would qualify in this case - !"£$%^&*(). If None Ascii is enabled then the PIN must contain a non-ascii character.

The Disable unblock checkbox configures the PIN policy, if enabled, such that if a user blocks their credential it will not be possible to unblock the credential using either administration key or PUC.

The Disable change will disable PIN change on the card, i.e. the policy will not allow the user to change the PIN.

Enable the Unblock using admin checkbox in order to be able to unblock a smart PIN using the administration key as set on the credential.

The Support SSO check box configures the PIN policy, if enabled, to support the feature whereby a user needs to enter their PIN once only during a session as long as the credential is not removed.

The New PIN must differ checkbox configures the PIN policy, if enabled, to ensure that the new PIN entered is not the same as the previous PIN set on the credential.

The Secure PIN input is a feature introduced in Windows 7 for the user to securely enter their credential PIN.

The External PIN flags drop down list provides options for PIN pad readers if these are used. Leave the option as No flag if either a PIN pad reader is not used or you do not need to set specific flags if a PIN pad reader is used. Select the option No regular fallback which will result in the credential not being allowed to be used for Windows logon if the card reader is not a PIN pad reader. Select No auto PIN pad if it is allowed for the credential to be used for Windows logon with a PIN pad reader and the PIN type as set on the credential is regular PIN. Select No regular fallback + No auto PIN pad if it is required to meet both conditions as already described. Please note that the settings described here are specific to Thales ID Prime MD cards. If further details are required on these specific settings please consult with your Thales provider.

Enable Update AD password when changing card PIN if it is required to synchronize the PIN with the credential holders AD password. See the article Synchronize Credential PIN with Active Directory Password for more details on how this feature can be used.

Enable Server managed PIN policy if it is required to have PIN management tasks managed and triggered from the server-side. See the article Server Managed PIN Policy for more details on how this feature can be used.

Untitled.png

Versasec Virtual Smart Card

From the Templates - PIN Policies page, click the Add button. Enter a template name and from the Card type select Versasec Virtual Smart Card.

Enable Smart card managed PIN policies check box to allow for PIN policies to be defined that can then be set on the credential during the issuance process.

By enabling the Adjacent positions allowed check box a PIN which has repeated characters adjacent to one another will be allowed. Enter the number of allowed adjacent positions in the Allowed repetitions field. The value entered will set the number of times that a character can be repeated in adjacent positions. For example, if this value is set to 4 then 1111c1 and aaaa1a are allowed PIN values and 11111c and aaaaa1 are not allowed PIN values.

Note
The value set here cannot exceed Max appearance value that is configured in the field described below.

The Max appearance configures the PIN policy to set the allowed number of appearances of a character in a PIN but it is not possible to specify which character. For example, if the value for Max appearance is set to 2 then the PIN value 0001 would not be allowed whereas the PIN value 0011 would be allowed.

The Max length of sequence is the number of times that a sequence of characters is allowed, for example 1,2,3,4,5,6...For example, if this parameter is set to 4 then 1234c5 and abcd1e are allowed PIN values and 12345c and abcde1 are not allowed PIN values.

The Max repeated characters configure the PIN policy to set the number of different characters that can be repeated at least once. For example, if this value is set to 1 this means one character can be repeated but it is not possible to specify which one.

Important
The Block card after policy update flag is not supported by these card types. Therefore, this check box should not be enabled otherwise you will get an error during issuance if this flag is enabled.

The Update tries left counter configures the PIN policy to set the number of incorrect PIN entry attempts a user can attempt before the credential will be blocked.

For PIN length, the Min configures the PIN policy to set the minimum length that the credential PIN needs to be when the user is setting their PIN and the Max configures the PIN policy to set the allowed maximum length that the credential PIN can be when the user is setting their PIN.

Important
The Max PIN length supported for this card cannot be greater than 16.

Enable the Character set restrictions check box in order to be able to configure specific character combinations to be used when setting a PIN. If this checkbox is not enabled then all characters will be allowed to be used when setting a PIN.

If the Character set restrictions checkbox is enabled then it is possible to configure specific allowed characters when setting a PIN. These can be set to either Allowed or Mandatory or both. If Alphabetic uppercase is enabled then the PIN must contain an upper-case character. If Alphabetic lowercase is enabled then the PIN must contain a lower-case character. If None alphabetic is enabled then the PIN must contain a character that is neither numeric or alphabetic, for example, any of these characters would qualify in this case - !"£$%^&*(). If None Ascii is enabled then the PIN must contain a non-ascii character.

The Disable unblock checkbox configures the PIN policy, if enabled, such that if a user blocks their credential it will not be possible to unblock the credential using either administration key or PUC.

The Disable change will disable PIN change on the card, i.e. the policy will not allow the user to change the PIN.

Enable the Unblock using admin checkbox in order to be able to unblock a smart PIN using the administration key as set on the credential.

The Support SSO check box configures the PIN policy, if enabled, to support the feature whereby a user needs to enter their PIN once only during a session as long as the credential is not removed.

The New PIN must differ checkbox configures the PIN policy, if enabled, to ensure that the new PIN entered is not the same as the previous PIN set on the credential.

The Secure PIN input is a feature introduced in Windows 7 for the user to securely enter their credential PIN.

The External PIN flags drop down list provides options for PIN pad readers if these are used. Leave the option as No flag if either a PIN pad reader is not used or you do not need to set specific flags if a PIN pad reader is used. Select the option No regular fallback which will result in the credential not being allowed to be used for Windows logon if the card reader is not a PIN pad reader. Select No auto PIN pad if it is allowed for the credential to be used for Windows logon with a PIN pad reader and the PIN type as set on the credential is regular PIN. Select No regular fallback + No auto PIN pad if it is required to meet both conditions as already described. Please note that the settings described here are specific to Thales ID Prime MD cards. If further details are required on these specific settings please consult with your Thales provider.

Enable Update AD password when changing card PIN if it is required to synchronize the PIN with the credential holders AD password. See the article Synchronize Credential PIN with Active Directory Password for more details on how this feature can be used.

Enable Server managed PIN policy if it is required to have PIN management tasks managed and triggered from the server-side. See the article Server Managed PIN Policy for more details on how this feature can be used.

Untitled.png

Windows Virtual Smart Card

If Microsoft's Virtual Smart Card (VSC) implementation is used a PIN policy template can be created and set on these VSC. From the Templates - PIN Policies page, click the Add button. Enter a template name and from the Card type select Windows Virtual Smart Card.

Enable Smart card managed PIN policies check box to allow for PIN policies to be defined that can then be set on the credential during the issuance process.

Enable the Character set restrictions checkbox in order to be able to configure specific character combinations to be used when setting a PIN. If this check box is not enabled then all characters will be allowed to be used when setting a PIN.

If the Character set restrictions checkbox is enabled then it is possible to configure specific allowed characters when setting a PIN. These can be set to either Allowed or Mandatory or both. If Alphabetic uppercase is enabled then the PIN must contain an upper-case character. If Alphabetic lowercase is enabled then the PIN must contain a lower-case character. If None alphabetic is enabled then the PIN must contain a character that is neither numeric or alphabetic, for example, any of these characters would qualify in this case - !"£$%^&*(). If None Ascii is enabled then the PIN must contain a non-ascii character.

The Update tries left counter is shown here for information purposes and this shows the number of incorrect PIN entry attempts a user can attempt before the VSC will be blocked. This cannot be changed.

For PIN length, the Min configures the PIN policy to set the minimum length that the VSC PIN needs to be when the user is setting their PIN and the Max configures the PIN policy to set the allowed maximum length that the VSC PIN can be when the user is setting their PIN.

The Disable unblock checkbox configures the PIN policy, if enabled, such that if a user blocks their VSC it will not be possible to unblock the VSC using either administration key.

The Disable change will disable PIN change on the VSC, i.e. the VSC will not allow the user to change the PIN.

Enable the Unblock using admin checkbox in order to be able to unblock a VSC PIN using the administration key as set on the VSC.

The Secure PIN input is a feature introduced in Windows 7 for the user to securely enter their VSC PIN.

Enable Update AD password when changing card PIN if it is required to synchronize the PIN with the credential holders AD password. See the article Synchronize Credential PIN with Active Directory Password for more details on how this feature can be used.

Enable Server managed PIN policy if it is required to have PIN management tasks managed and triggered from the server-side. See the article Server Managed PIN Policy for more details on how this feature can be used.

Untitled.png

PIV PIN Policy

If you are managing PIV cards a PIN policy template can be created and set on supported PIV credentials. From the Templates – PIN Policies page, click the Add button. Enter a template name and from the Card type select PIV Smart Cards.

Enable Smart card managed PIN policies check box to allow for PIN policies to be defined that can then be set on the credential during the issuance process.

By enabling the Adjacent positions allowed check box a PIN which has repeated characters adjacent to one another will be allowed. Enter the number of allowed adjacent positions in the Allowed repetitions field. The value entered will set the number of times that a character can be repeated in adjacent positions. For example, if this value is set to 4 then 1111c1 and aaaa1a are allowed PIN values and 11111c and aaaaa1 are not allowed PIN values.

Note
The value set here cannot exceed Max appearance value that is configured in the field described below.

The Max appearance configures the PIN policy to set the allowed number of appearances of a character in a PIN but it is not possible to specify which character. For example, if the value for Max appearance is set to 2 then the PIN value 0001 would not be allowed whereas the PIN value 0011 would be allowed.

The Max length of sequence is the number of times that a sequence of characters is allowed, for example 1,2,3,4,5,6...For example, if this parameter is set to 4 then 1234c5 and abcd1e are allowed PIN values and 12345c and abcde1 are not allowed PIN values.

The Max repeated characters configure the PIN policy to set the number of different characters that can be repeated at least once. For example, if this value is set to 1 this means one character can be repeated but it is not possible to specify which one.

Enable the Block card after policy update checkbox to block the credential after the PIN policy is updated and applied to it, thereby requiring an unblock by the user on receipt of the credential.

The Update tries left counter configures the PIN policy to set the number of incorrect PIN entry attempts a user can attempt before the credential will be blocked.

Important
The Update tries left counter is only supported on Yubico PIV credentials.

For PIN length, the Min configures the PIN policy to set the minimum length that the credential PIN needs to be when the user is setting their PIN and the Max configures the PIN policy to set the allowed maximum length that the credential PIN can be when the user is setting their PIN.

Important
The PIV standard states that PINs should be between 6-8 characters in length. Some card vendors do not strictly adhere to this requirement, therefore you can configure lengths outside of this range depending on what the card vendor implemented.

If the Character set restrictions checkbox is enabled then it is possible to configure specific allowed characters when setting a PIN. These can be set to either Allowed or Mandatory or both. If Alphabetic uppercase is enabled then the PIN must contain an upper-case character. If Alphabetic lowercase is enabled then the PIN must contain a lower-case character. If None alphabetic is enabled then the PIN must contain a character that is neither numeric or alphabetic, for example, any of these characters would qualify in this case - !"£$%^&*(). If None Ascii is enabled then the PIN must contain a non-ascii character.

Enable Update AD password when changing card PIN if it is required to synchronize the PIN with the credential holders AD password. See the article Synchronize Credential PIN with Active Directory Password for more details on how this feature can be used.

Enable Server managed PIN policy if it is required to have PIN management tasks managed and triggered from the server-side. See the article Server Managed PIN Policy for more details on how this feature can be used.

Untitled.png