PIN management
This section describes how to set the minimum PIN length, create or update a PIN, and require a user to change their PIN on first use.
Set the admin PIN for a FIDO device
You can set the admin PIN by using this option. Once the device admin PIN is set, its state is changed from unmanaged mode to managed mode.
The Managed devices are those actively controlled, monitored, and configured by an administrator; this includes all enterprise devices. While the Unmanaged devices are standard devices not under such control or monitoring.
This feature is available only for FIDO 2.1 and later devices.
To set the admin PIN:
-
Insert the FIDO device and Open SafeNet FIDO Key Manager.
-
Select Admin > Set admin PIN for this FIDO Key.
-
Enter the admin PIN, confirm it, and click Submit.
The admin PIN must be 16 characters in length and can include plain text and special characters.
Note
This operation also sets the FIDO device to managed mode.
Update an admin PIN
You can update an admin PIN after it has been set.
Note
This feature is available only for FIDO 2.1 and later devices.
To update an admin PIN:
-
Insert the FIDO device and Open SafeNet FIDO Key Manager.
-
Select Admin > Update Admin PIN.
-
Enter the current admin PIN and then click Submit.
-
Enter the new admin PIN, confirm it, and then click Submit.
The admin PIN must be 16 characters in length and can include plain text and special characters.
Setup a User PIN for FIDO devices
To create a PIN for a FIDO or fusion (FIDO + PKI) device:
-
Insert your FIDO device and Open SafeNet FIDO Key Manager.
-
Select Setup PIN.
-
Enter the new PIN.
Observe the minimum PIN length.
-
Confirm the new PIN and then click Submit.
Change a FIDO or PKI PIN
To change your existing FIDO or PKI device PIN:
-
Insert your FIDO or PKI device and Open SafeNet FIDO Key Manager.
-
Select Change PIN.
-
Enter your current PIN, your new PIN, and then click Submit.
If your current PIN is invalid:
-
Your number of attempts will be reduced. If only two attempts remain, a warning message is displayed.
-
Below screen is displayed in case of PKI device:
-
In case of FIDO device, below pop-up appears after a certain number of incorrect PIN attempts, which may vary depending on the device.
-
-
If the last attempt fails, the device will be locked. Contact the administrator to unblock it.
-
Below screen is displayed in case of PKI device:
-
Below screen is displayed in case of FIDO device:
-
If the PIN is valid:
- A confirmation message displays.
-
Set PIN length
You can set a minimum PIN length for FIDO devices.
Note
This feature is available only for FIDO 2.1 and later devices.
To set the minimum PIN length:
-
Select Admin > Set PIN length.
-
Provide the user PIN for a standard or unmanaged device and admin PIN for an enterprise or managed device, and then, click Submit.
Note
This step displays only if you are entering the admin PIN for the first time. After the admin PIN is authenticated, this step is skipped for the rest of the session.
-
Select a minimum PIN length of 4 to 63 characters from the drop-down.
Note
If your desired minimum PIN length value is not listed in the drop-down, reset the device to enable that value.
-
Click Submit.
-
Change the PIN since the PIN length has changed, and click Submit.
This is mandatory if the PIN has already been set. Otherwise, you can change the PIN later.
Note
This option remains grayed-out untill the user PIN setup is done.
Enforce PIN change
Note
This feature is available only for FIDO 2.1 and later devices.
You can force users to change their PIN on the next usage, as follows:
-
Select Admin > Enforce PIN change.
-
Provide the user PIN for a standard or unmanaged device and admin PIN for an enterprise or managed device, and then, click Submit.
Note
This step displays only if you are entering the admin PIN for the first time. After the admin PIN is authenticated, this step is skipped for the rest of the session.
-
Select the checkbox to enforce the PIN change and click Submit.
Note
- This option remains grayed-out untill the user PIN setup is done.
- Once checked, you cannot uncheck the Enforce PIN change checkbox. You can uncheck the checkbox only after the user changes the PIN.
Enforce user verification
Note
This feature is available only for FIDO 2.1 and later devices.
You can force users to provide biometric or PIN verification to use the FIDO devices while enrolling a device on a service provider.
For standard and enterprise unmanaged devices, if the Enforce User Verification feature is enabled from the factory, it cannot be disabled unless the device is reset. However, for the enterprise-managed devices, this feature can be enabled or disabled using the admin PIN.
Perform the following steps to enforce user verification:
-
Select Admin > Enforce user verification.
-
Provide the user PIN for a standard or unmanaged device and admin PIN for a enterprise or managed device, and then, click Submit.
Note
This step displays only if you are entering the admin PIN for the first time. After the admin PIN is authenticated, this step is skipped for the rest of the session.
-
Select the checkbox to enforce the user verification and click Submit.
Note
-
When Enforce User Verification checkbox is enabled, and the service provider (IDP or relying party) has the User Verification setting marked as Discouraged, then you will be required to perform both PIN entry and biometric verification (such as touching the security key) during the enrolment and authentication processes.
-
When Enforce User Verification checkbox is disabled, and the service provider (IDP or relying party) has User Verification setting marked as Discouraged, then you will be required to perform both PIN entry and biometric verification (such as touching the security key) only during the enrolment process.
However, during the authentication process, you will only need to perform the biometric action (such as touching the security key), and entering a PIN will not be necessary.
