Configure server-side PINs
You can configure how the server evaluates PINs that are appended or prepended to the token code.
-
On the SAS console, select Policy > Token Policies > Server-side PIN Policy.
-
Configure the server-side PIN policy options as needed:
-
Change PIN on first use is required (Operator cannot override) - Force the user to change the initial PIN set for the token during initialization or set by an Operator before they can log in. For example, if the initial PIN is ABCD and the password is 12345678, the user will attempt to log in with ABCD12345678. Assuming this combination successfully authenticates against SAS, the user will then be prompted to change their PIN to a new value that meets the minimum requirements of the Server-side PIN. If this option is checked, the Operator cannot override this policy when resetting a User’s PIN. If this option is cleared, the Operator can choose whether or not to force a PIN change on first use after resetting the User’s PIN. Default value: checked.
-
Force Random PINs (Operator cannot override) - If selected:
- The Virtual Server generates random PINs that meet the Server-side PIN policy requirements for each User.
- The Operator cannot choose the PIN to be given to a User. If cleared, the Operator can create a PIN that conforms to the policy or request a PIN be generated by the Server. Default: selected.
- PIN Processing Order—Determines whether the PIN must be appended to the end of the token code or prepended to the beginning of the token code.
-
-
Configure the PIN Strength:
-
Minimum Length—The minimum number of characters in a PIN. Range is 3 – 15 characters.
-
Maximum Length—The maximum number of characters in a PIN. Range is 4 – 16 characters.
-
Default Generated Length—The number of characters in a PIN auto-generated by the server.
-
Change Frequency—How frequently a user must change their Server-side Server Select or Server-side User Select PIN. This period begins with the last PIN change date for a token. Default: 30 days.
-
Minimum Complexity—The combination of characters that must be used in a PIN. Default: Numeric.
-
Numeric—A PIN comprised of digits 0-9.
-
Alphanumeric—A PIN that contains at least 1 digit and 1 uppercase letter; for example, 0-9, A-Z.
-
Strong Alphanumeric—A PIN that contains at least 1 digit, 1 uppercase letter, and 1 lowercase letter; for example, 0-9, Aa-Zz.
-
Complex Alphanumeric—A PIN that contains at least 1 digit, 1 letter, and 1 special character. For example, 0-9, Aa-Zz, and one special character. The special characters are: !@#$%&*?
-
-
The following table illustrates the application of PIN complexity rules, using MobilePASS as an example:
Server-side PIN Policy | Client Message | Pass Examples |
---|---|---|
Numeric: (Minimum) PIN comprises digits 0-9. | Token PIN should contain X decimal or alphanumeric characters. | abc123, 1111, abcdd, or Pass12 |
Alphanumeric: (Minimum) PIN comprises at least 1 digit and 1 uppercase letter. | Token PIN should contain X alphanumeric characters and have at least one numeral, lowercase and uppercase character. | 12aA or 12Aa |
Strong Alphanumeric: (Minimum) PIN comprises at least 1 digit, 1 uppercase letter and 1 lowercase letter. | Token PIN should contain X alphanumeric characters and have at least one numeral, lowercase, and uppercase character. | 12aA or 12Aa |
Complex Alphanumeric: (Minimum) PIN comprises at least 1 digit, 1 letter and 1 special character. | Not applicable for MobilePASS |
Alphanumeric PINs are typically more secure than numeric PINs.
Global or Groups PIN change
This option determines if the Server-side PIN Policy settings are global settings. Global PIN changes are applied immediately, and the group’s users who have server-side PIN-enabled tokens are required to change their server-side PINs during their next authentication.
Configure PIN changes in Policy > Token Policies > Global or Groups PIN Change.