.png)
Temporary PINs
Your organization may find situations when setting up a temporary access PIN code is required or convenient. PIN codes can be used for authentication at devices, in the MyQ Web Interface, Desktop Client, or Mobile Client to access printing, scanning, and other MyQ functionalities.
MyQ allows administrators to implement temporary PIN codes in their workflows. Either by enabling generating all PINs as temporary for all users of the system, or by specifying only selected groups of users whose PIN should always be temporary while other users can retain the ability to receive permanent PIN codes.
Use Case: Temporary PINs for Guest Users
If you commonly welcome guest users in your organization, such as external visitors or contractors, you may want to prevent them from receiving a persistent PIN that they could use anytime they come back to your office.
In this scenario, you will want to define specific user group(s) whose PIN will always be generated as temporary. You can combine this with the Jobs via Email feature to also allow the self-registration of your guest users and visitors.
Settings – User Authentication – PIN
Settings – Users
Settings – Jobs – Jobs via Email
With this configuration, the following workflow is possible:
A guest user comes to your office, they do not have a MyQ account yet; they are instructed to send a job to a dedicated email address for email printing whenever they need to print.
This guest user wants to print, and they send a print document via email; a new MyQ account is automatically created for them.
This new automatically created user is assigned to the SELF-REGISTERED group (see the Users settings that allowed an unknown user to register themselves by sending a job via email and this account automatically becomes a member of the SELF-REGISTERED group).
This new user receives a temporary PIN valid for 24 hours in their mailbox.
When they auto-registered, they became a member of the SELF-REGISTERED group; and this group is set to only ever receive temporary PINs (see the Temporary PINs settings)
This user can use the temporary PIN to print in your environment for one day; the next day their PIN is invalidated.
The next time this user comes to the office, they will send another document for email printing; because their account created in Step 2 is still in the SELF-REGISTERED group, the new PIN they receive is again valid only for 24 hours
Other, regular users in your organization, such as employees, will not be affected; if you generate them PINs or they generate PINs for themselves, they will receive a PIN that never expires automatically.
The following table compares the options of a regular user and users that in the SELF-REGISTERED group.
Regular user (not a member of SELF-REGISTERED group) | Self-registered user via Email (member of the SELF-REGISTERED group automatically) |
|---|---|
Every time they send a new job to MyQ via Email (only), they receive a new PIN. | Every time they send a new job to MyQ via Email (only), they receive a new PIN. |
Every PIN they receive is persistent (does not expire automatically). | Every PIN they receive is temporary (expires after the set period of time). |
Every time a PIN is changed for them, they receive this new PIN via email. | Every time a PIN is changed for them, they receive this new PIN via email. |
They can also generate a new PIN themselves, and the new PIN they receive is always persistent*. | They can also generate a new PIN themselves, and the new PIN they receive is always temporary*. |
The option User can change PIN in User Authentication – PIN can be also disabled; this will affect all users in your organization.
When disabled, no user can regenerate a PIN for themselves in the MyQ Web Interface or Mobile Client, and they cannot restore a forgotten PIN from the MyQ Web interface login screen.
If you keep this enabled, even your guest users will be able to access these options to regenerate their PIN. However, their PIN will still be only temporary, while other regular users will keep getting persistent PINs as usual.
Use Case: Enforce policies to change PIN codes regularly
In MyQ – Settings, under the User Authentication, you’ll find options related to PIN codes. If you want to use only temporary PINs for all users in your system, it is recommended to configure the following options:
Enable User can change PIN
Enable Send new PIN via email
Enable Generate PINs as temporary
Only for users: All users
Validity of temporary PINs: for example, 720 hours (30 days)
With these settings, the following workflow is established:
MyQ will automatically generate a random PIN for any new user, whether they are created manually or via user synchronization.
Whenever a PIN is created for such a user, the user will receive an email with the new PIN code, ensuring that users always have their credentials available and know which PIN is the active one.
All PINs generated for your users are always temporary, and they are valid for 30 days; the information on how long the PIN is valid is part of the email the user receives, so users always know how long they can use the PIN they just received for.
When the user’s PIN has expired, this user will be unable to log in to any MyQ interface, but they can open the MyQ Web Interface or Mobile Client and generate a new PIN for themselves.
The new PIN they receive is sent again via email and it is also valid for 30 days.
In this scenario, it is expected that users are educated about the situation with PIN codes. They should know that any PIN they receive is only temporary. Thus, they should expect that they can use their PIN code for only 30 days, and after this period, their PIN will stop working. They should be informed about how they can create a new PIN code and that their new PIN codes are sent to them via email.
Use Case No. 3: Short-Lived PINs to Register ID Cards
For some organizations, using a temporary PIN can be a method to allow users to later register themselves using their ID card, with the card then replacing the PIN as their permanent authentication method. This is simple both for users and administrators. Administrators only need to generate a PIN for the user once, and the PIN will expire automatically. The user only needs to swipe their card at a device and enter the PIN a single time to register the card.
To utilize this option, it is necessary to define the behavior When an unknown ID card is swiped as Allow the existing user to register the card.
In this case it is best to register new users with a temporary PIN which will only last for a few days. Once they are provided with this PIN they can:
Swipe their new ID card at an Embedded Terminal.
They will be prompted to register the card.
The user enters the temporary PIN they were provided, and the card is registered to their account.
The PIN code is no longer required as the user authenticates themselves by card, and then PIN will expire shortly, minimizing security risks.
Recommendations and warnings
There are a few misconfigurations that might make it difficult for your users to keep continuously using MyQ. Be aware of these situations and try to prevent them.
Not sending PIN via email
Keep in mind that if you disable Send PIN via email, and generate new PINs, your users will not receive emails with these new PINs. If the PIN code is their only method of authentication, this will leave them unable to use MyQ.
Disabled option Allow users to generate PIN
If you do not enable users to access the Generate PIN option, be aware that administrators are the only ones who can generate PIN codes for your users. Users themselves cannot create a new PIN in the MyQ Web Interface and they also cannot reset a PIN they have forgotten.