none
FIM CM - Force PIN changes RRS feed

  • Question

  • Is there any way to expire the PIN on the smartcard every X number of days and have the users receive a notification that they need to update their smartcard?
    Tuesday, July 31, 2012 6:04 PM

Answers

  • On Tue, 31 Jul 2012 18:04:10 +0000, Richard5474 wrote:

    Is there any way to expire the PIN on the smartcard every X number of days and have the users receive a notification that they need to update their smartcard?

    No.


    Paul Adare
    MVP - Forefront Identity Manager
    http://www.identit.ca
    System going down at 5 pm to install scheduler bug.

    Wednesday, August 1, 2012 2:05 PM
  • Adding to Paul's answer, a PIN is not a password.

    - A PIN requires access to the smart card (hence two factor authentication)

    - If an incorrect # of PINs is presented to the smart card, the smart card is blocked and must be unlocked through either an online or an offline unblock process

    Brian

    Thursday, August 2, 2012 12:56 PM

All replies

  • On Tue, 31 Jul 2012 18:04:10 +0000, Richard5474 wrote:

    Is there any way to expire the PIN on the smartcard every X number of days and have the users receive a notification that they need to update their smartcard?

    No.


    Paul Adare
    MVP - Forefront Identity Manager
    http://www.identit.ca
    System going down at 5 pm to install scheduler bug.

    Wednesday, August 1, 2012 2:05 PM
  • Adding to Paul's answer, a PIN is not a password.

    - A PIN requires access to the smart card (hence two factor authentication)

    - If an incorrect # of PINs is presented to the smart card, the smart card is blocked and must be unlocked through either an online or an offline unblock process

    Brian

    Thursday, August 2, 2012 12:56 PM
  • I understand that a PIN isn't a password but part of our security mandate is that the users change their PIN every 90 days or so.  The token management that we're looking to migrate from does allow us to set that parameter.
    Tuesday, August 7, 2012 1:24 PM
  • On Tue, 7 Aug 2012 13:24:22 +0000, Richard5474 wrote:

    The token management that we're looking to migrate from does allow us to set that parameter.

    FIM CM does not provide this ability.


    Paul Adare
    MVP - Forefront Identity Manager
    http://www.identit.ca
    No line available at 300 baud.

    Tuesday, August 7, 2012 2:01 PM
  • Hi Richard 5474,

    Adding to Paul's answer:

    Depending on the vendor of the smart card and the middleware you use you may have a option to configure this FIM-independent, e.g. if you have Aladdin cards.

    The FIM CM client has also a password change dialog. So you might start the dialog from a log on script every 6 months or so. Just as an workaround. The changepin.cmd is located in c:\program files (x86)\Microsoft Forefront Identity Manager\2010\CM client\bin (if you installed the x86 version).

    Regards,

    Lutz

    Wednesday, August 8, 2012 1:09 AM