PIN Change Campaign
Introduction:
PIN validation method now supports PIN change campaigns. This feature is useful for forcing PIN changes for all users, and can be configured to be active in a desired timeframe, ranging from immediately forcing PIN change to a specific date.
In addition to the above, PIN blacklist has also been updated to validate PINs up to 8 characters against most known combinations, including birthday formats and mirror formats.
How it works:
The new feature is available for configuration in Orchestrator - Methods - PIN section. As before, options for PIN length, validity, and expiration behavior can be configured. Before starting a new campaign, make sure these parameters have the desired values, as the campaign will take them into account.
Note that users don’t need to remember their old PIN to change it, they can use whatever alternative authentication methods they have enrolled (i.e. Biometrics, FIDO)
A new section has been added: PIN CHANGE CAMPAIGNS. There are 3 actions possible: Create new campaign, Delete an existing one or Edit an existing one.
Click the Create a new campaign button at the bottom of the window to trigger the new campaign pop-up. Parameters available for both new and existing campaigns are:
- Start Date defining when the campaign becomes active and users start receiving the message to change their PIN. If the date picked is “Today”, campaign starts immediately after saving it. If another future day is chosen, it will start at midnight on that day.
- Period days acts like a grace period, defining the timeframe available for users to perform the PIN change since the start date.
If users are authenticating inside the timeframe, they will receive a non-compulsory message stating how many days they have left to operate the change and also the options to do it, or skip it for current authentication session.
If users are authenticating after the grace period has finished, the PIN change will become mandatory, with no skip option. Refusing to change the PIN will cancel the authentication session.
- Enabled (on/off switch) - indicates if the campaign should become available right away. Note that only one enabled campaign can be enabled at a time. Also an active campaign can not be deleted, it needs to be disabled first.
Below there are some sample screenshots for a new campaign, starting on 25th Dec. 2022 with a 40 days grace period, and the mobile apps and Self Service Provider reactions inside the timeframe:
Other components:
All components in Veridium ecosystem have been updated to fully support and provide functional flows to PIN change campaigns. This includes VeridiumID Mobile App (iOS & Android), Windows Credential Provider and Self Service Portal.
Backwards compatibility is supported for older mobile apps and Windows Credential Provider, but limited:
while the campaign is in the grace period, users can continue with their authentication as before (they will not be exposed to the new PIN Change flows)
when the campaign reaches the date limit and the PIN change becomes mandatory, the authentication flow can not be completed anymore and the attempts are marked either as “Cancelled” from mobile apps, or “Timeout” from Windows Credential Provider.
note: for full functionality availability mobile apps needs to be updated. Android versions under 3.2.2 will cancel the authentication attempt with no error message and iOS versions under 3.2.2 will cancel the authentication with a descriptive server error.