Server PIN

A server PIN may be required in addition to the OTP and can be used together with the OTP generated by the authenticator as part of the online authentication process. The server PIN is a digit-based secret, entered by the user during logon with the OTP instead of an authenticator PIN, which is entered into the authenticator (see Authenticator client PIN). The entered server PIN and OTP are verified by the authenticating server. The server only permits verification of the OTP if it is submitted with a valid server PIN. The additional server PIN provides an extra layer of security, i.e. a two-factor security solution. To authenticate, the user needs to have a connection to the authenticating server, know the server PIN (something you know), and have physical access to the authenticator (something you have) to generate an OTP.

In some cases a new server PIN may need to be set. A user's server PIN can be reset either manually by an OneSpan Authentication Server administrator or when assigning an authenticator. When using self-assignment or auto-assignment for authenticators, the users can reset their server PIN. If Assignment Mode is set to Self-Assignment-Pin-Reset or Auto-Assignment-Pin-Reset, the server PIN is automatically reset. This is an optional feature and does not require any further administrator action, once the option has been enabled in the authenticator properties and/or the relevant policy settings.

The following permutations of OTP and server PIN are possible:

• otp. The regular logon where no server PIN is required.
• pinotp. The regular logon where a server PIN is required and is typed before the OTP.
• pinotpnew_pinnew_pin. This permutation is used to change the server PIN. The new PIN is typed twice after the OTP.
• otpnew_pinnew_pin. This permutation is used to set the server PIN on first use, when no initial PIN was set. The new PIN is typed twice after the otp. This format is also necessary after an administrative PIN reset.

The server PIN run-time information is provided via the Administration Web Interface by selecting a specific authenticator record (see Table: Server settings regulating server PIN behavior).

Table: Server settings regulating server PIN behavior

Setting	Description
PIN Supported	Factory default built-in setting that controls whether a PIN must be included in a user's authentication request.
PIN Enabled	Factory default setting to force a server PIN to be used for logon. This is possible only if PIN Supported is enabled.
PIN Change On	Enables the user to change the server PIN of this authenticator.
Force PIN Change	Forces the user to change the server PIN during next logon.
PIN Length	The length of the current server PIN.
PIN Minimum Length	The minimum PIN length required by the server.

Server PIN states

The server PIN can change through different states that determine the possible user/administrator actions (see Figure: Server PIN states and actions).

When a server PIN is in the PIN SET CHANGE FORCED state, the user is forced to change the PIN at the next logon. Once the user changed the PIN (pinotpnew_pinnew_pin), the state changes to PIN SET.

For more information about other user and administrator actions that affect server PIN states, see Authenticator record functions.