Mastering PIN Management: Beyond the Basics

Date: 2024-02-28
Author: Versasec

6.10 PIN Management

Embarking on an enterprise PIN management journey starts with establishing a robust PIN policy and, ideally, leveraging a credential’s capability to manage them. Therefore, we can say that an ideal enterprise PIN policy management comes with defining, setting, and enforcing. However, not all credentials, smart cards, or tokens have the built-in ability to store and adhere to a PIN policy. 

For credentials that don’t have PIN policy features, the user can choose any PIN they would like. They can follow a company’s guidelines, but the company cannot enforce them. When managing credentials lacking PIN policy capabilities, Versasec’s credential management addresses this to ensure PIN compliance.

Yet, the journey of PIN management extends beyond mere policy setting. It involves considering different PINs for authentication, signing, encryption, and FIDO2. Usually, these considerations fall under the broader category of access control and security policy management within an organization’s overall cybersecurity framework. This is closely related to Identity and Access Management (IAM) practices. Should various PINs of one user be the same, and will such alignment be allowed?

Synchronization can be considered to increase usability for the user. To provide this option, in vSEC:CMS, we offer an optional feature to sync the credential PIN with the user’s Active Directory (AD) password. This proves valuable for scenarios where passwords serve as fallbacks for lost credentials, allowing temporary password authentication. While other methods, like issuing temporary credentials, may be preferable, the option exists for those who find it a viable solution for temporary access.

In some enterprise setups, users are required to change their PINs periodically. To facilitate this process, organizations can use Versasec’s credential management to:

  • track the current PIN lifetime,
  • notify users before expiration, and
  • facilitate PIN changes through the user-friendly self-service capabilities.

Ensuring the security of a credential PIN is paramount. Only the user to whom the credential belongs should know the PIN. Following best practices, users should set their PINs themselves during the credential issuance. While best practice involves users being present during issuance, practical constraints such as location and time might require delivering issued credentials for later activation, with the PIN set by the user. Versasec facilitates secure and simple remote issuance and PIN unblocking with our user self-service application, vSEC:CMS User, available for Windows and Mac.

For PIV credentials lacking native support for challenge/response PIN unblock or using a credential admin PIN/Key, the only option is the credential PUC. However, relying on and sharing the PUC poses security challenges, as someone possessing both the PUC and the credential can unblock it and set a new PIN. With vSEC:CMS, this challenge is overcome through support for remote PIN unblocks, whether the user is online or offline, using a proprietary challenge/response mechanism. This capability proves particularly valuable for organizations with users dispersed by location and time.

In essence, mastering PIN management goes beyond setting PIN policies and into the realm of user experience, security, and adaptability. Versasec’s solutions provide the flexibility and robustness needed to navigate the complexities of modern PIN management effectively.

vSEC:CMS

Our product suite provides all the software tools to administrate and manage credentials in a secure and convenient way.

Start here

Free Product Trial

Versasec provides enabling IT security products centered on the usage of security devices such as smart cards. Our solutions enable customers to securely authenticate, issue and manage user credentials more cost effectively. Get a free product trial.

Job Openings

We are always looking for new exceptional persons to join our team! Find out more about our job openings.

Share this article