Mastering PIN Management: Beyond the Basics

Date: 2024-02-28
Author: Versasec

Embarking on an enterprise PIN management journey starts with establishing a robust PIN policy and, ideally, leveraging a credential’s capability to manage them. Therefore, we can say that an ideal enterprise PIN policy management comes with defining, setting, and enforcing. However, not all credentials, smart cards, or tokens have the built-in ability to store and adhere to a PIN policy.

For credentials that don’t have PIN policy features, the user can choose any PIN they would like. They can follow a company’s guidelines, but the company cannot enforce them. When managing credentials lacking PIN policy capabilities, Versasec’s credential management addresses this to ensure PIN compliance.

Yet, the journey of PIN management extends beyond mere policy setting. It involves considering different PINs for authentication, signing, encryption, and FIDO2. Usually, these considerations fall under the broader category of access control and security policy management within an organization’s overall cybersecurity framework. This is closely related to Identity and Access Management (IAM) practices. Should various PINs of one user be the same, and will such alignment be allowed?

Synchronization can be considered to increase usability for the user. To provide this option, in vSEC:CMS, we offer an optional feature to sync the credential PIN with the user’s Active Directory (AD) password. This proves valuable for scenarios where passwords serve as fallbacks for lost credentials, allowing temporary password authentication. While other methods, like issuing temporary credentials, may be preferable, the option exists for those who find it a viable solution for temporary access.

In some enterprise setups, users are required to change their PINs periodically. To facilitate this process, organizations can use Versasec’s credential management to:

track the current PIN lifetime,
notify users before expiration, and
facilitate PIN changes through the user-friendly self-service capabilities.

Ensuring the security of a credential PIN is paramount. Only the user to whom the credential belongs should know the PIN. Following best practices, users should set their PINs themselves during the credential issuance. While best practice involves users being present during issuance, practical constraints such as location and time might require delivering issued credentials for later activation, with the PIN set by the user. Versasec facilitates secure and simple remote issuance and PIN unblocking with our user self-service application, vSEC:CMS User, available for Windows and Mac.

For PIV credentials lacking native support for challenge/response PIN unblock or using a credential admin PIN/Key, the only option is the credential PUC. However, relying on and sharing the PUC poses security challenges, as someone possessing both the PUC and the credential can unblock it and set a new PIN. With vSEC:CMS, this challenge is overcome through support for remote PIN unblocks, whether the user is online or offline, using a proprietary challenge/response mechanism. This capability proves particularly valuable for organizations with users dispersed by location and time.

In essence, mastering PIN management goes beyond setting PIN policies and into the realm of user experience, security, and adaptability. Versasec’s solutions provide the flexibility and robustness needed to navigate the complexities of modern PIN management effectively.

vSEC:CMS

Our product suite provides all the software tools to administrate and manage credentials in a secure and convenient way.

Start here

Free Product Trial

Versasec provides enabling IT security products centered on the usage of security devices such as smart cards. Our solutions enable customers to securely authenticate, issue and manage user credentials more cost effectively. Get a free product trial.

Job Openings

We are always looking for new exceptional persons to join our team! Find out more about our job openings.

Share this article

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	1 year	Records the default button state of the corresponding category & the status of CCPA. It works only in coordination with the primary cookie.
uncode_privacy[consent_types]	1 year	This cookie is set by Uncode WordPress theme and is used to manage privacy settings on the website.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gat_gtag_UA_20104436_1	1 minute	Set by Google to distinguish users.
_gat_UA-20104436-1	1 minute	A variation of the _gat cookie set by Google Analytics and Google Tag Manager to allow website owners to track visitor behaviour and measure site performance. The pattern element in the name contains the unique identity number of the account or website it relates to.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
CONSENT	2 years	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.

Cookie	Duration	Description
NID	6 months	NID cookie, set by Google, is used for advertising purposes; to limit the number of times the user sees an ad, to mute unwanted ads, and to measure the effectiveness of ads.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt.innertube::nextId	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.

Mastering PIN Management: Beyond the Basics

vSEC:CMS

Free Product Trial

Job Openings

Sweden

United States

United Kingdom

Middle East

Asia

Germany