Temporary PINs
Your organization may find situations when setting up a temporary access PIN code is necessary or helpful. PIN codes can be used for authentication at devices, in the MyQ Web Interface, Desktop Client, or Mobile Client to access printing, scanning, and other MyQ functionalities.
MyQ allows administrators to implement temporary PIN codes in their workflows. Either by enabling generating all PINs as temporary for all users of the system, or by specifying only select groups of users whose PIN should always be temporary, while other users can retain the ability to receive permanent PIN codes.
Use Cases
Temporary PINs for guest users
If you frequently welcome guest users in your organization, such as external visitors or contractors, you may want to prevent them from receiving a persistent PIN that they could use anytime they come back to your office.
In this scenario, you will want to define specific user group(s) that will always receive a temporary PIN whenever MyQ generates them one. You can combine this with the Jobs via Email feature to also allow the self-registration of your guest users and visitors.
By selecting the following settings in:
Settings>User Authentication>PIN
Settings>Users
Settings>Jobs>Jobs via Email
You can establish the following workflow for guest users:
A guest user comes to your office, they do not have a MyQ account yet; they are instructed to send a job to a dedicated email address for email printing whenever they need to print.
This guest user wants to print, and they send a print document via email; a new MyQ account is automatically created for them.
This new automatically created user is assigned to the SELF-REGISTERED group (see the Users settings that allowed an unknown user to register themselves by sending a job via email and this account automatically becomes a member of the SELF-REGISTERED group).
This new user receives a temporary PIN valid for 24 hours in their mailbox.
When they auto-registered, they became a member of the SELF-REGISTERED group; and this group is set to only ever receive temporary PINs (see the Temporary PINs settings).
This user can use the temporary PIN to print in your environment for one day; the next day their PIN is invalidated.
Next time this user comes to the office, they will send another document for email printing; because their account created in Step 2 is still in the SELF-REGISTERED group, the new PIN they receive is once again valid for only 24 hours.
Other, regular users in your organization, such as employees, will not be affected; if you generate them PINs or they generate PINs for themselves, they receive a PIN that never expires automatically.
The following table compares the outcomes for a regular user and users that are self-registered:
Regular user (not a member of SELF-REGISTERED group) | Self-registered user via Email (member of the SELF-REGISTERED group automatically) |
|---|---|
Every time they send a new job to MyQ via Email (only), they receive a new PIN. | Every time they send a new job to MyQ via Email (only), they receive a new PIN. |
Every PIN they receive is persistent (does not expire). | Every PIN they receive is temporary (expires after the set period of time). |
Every time a PIN is changed for them, they receive this new PIN via email. | Every time a PIN is changed for them, they receive this new PIN via email. |
They can also generate a new PIN themselves, and the new PIN they receive is always persistent. | They can also generate a new PIN themselves, and the new PIN they receive is always temporary. |
Option User can change PIN in User Authentication>PIN can be also disabled; this will affect all users in your organization.
When disabled, no user can regenerate a PIN for themselves in the MyQ Web Interface or Mobile Client, and they cannot restore a forgotten PIN from the MyQ Web interface login screen.
If you keep User can change PIN enabled, even your guest users will be able to access these options to regenerate their PIN. However, their new PIN will still be only temporary, while other regular users will keep getting persistent PINs as usual.
Require all users to change PIN codes regularly
For security reasons, it may be necessary to ensure that none of your users retain the same PIN code for too long. Using temporary PINs for all users improves the security of your system, but also necessitates informing users about the validity of their PIN, and how they will receive a new one.
In MyQ Settings, under User Authentication, you’ll find options related to PIN codes. If you want to use only temporary PINs for all users in your system, it is recommended to configure the following:
Enable User can change PIN
Enable Send new PIN via email
Enable Generate PINs as temporary
Only for users: All users
Validity of temporary PINs: for example, 720 hours (= 30 days)
With these settings enabled, you establish the following workflow:
MyQ will automatically generate a random PIN for any new user, whether created manually or via user synchronization.
Whenever a PIN is created for such a user, the user will receive an email with the new PIN code – ensuring that users always have their credentials available and know which PIN is the active one.
All PINs generated for your users are always temporary, and they are valid for 30 days; the information on PIN validity is included in the email the user receives, so they always know for how long they can use a given PIN.
When the user’s PIN expires, this user will be unable to log in to any MyQ interface, but they can open the MyQ Web Interface or Mobile Client and generate a new PIN for themselves from the login screen.
The new PIN they receive is sent again via email and it is also valid for 30 days.
In this scenario, it is expected that users are educated about the situation with PIN codes. They should know that any PIN they receive is only temporary. Thus, they should expect that they can use their PIN code for only 30 days, and after this period, their PIN will stop working. They should be informed how they can create a new PIN code and that their new PIN codes are sent to them via email.
Notes on Temporary PINs
If using only temporary PINs, there are possible misconfigurations that might make it difficult for your users to keep continuously using MyQ. Be aware of these situations and try to prevent them.
Disabled “Send PIN via email”
If you disable Send PIN via email, and generate new PINs, your users will not receive emails with these new PINs. If the PIN code is their only way of authentication, this will leave them unable to use MyQ.
Disabled “Allow users to generate PIN”
If you do not enable users to access the Generate PIN option, be aware that administrators are the only ones who can generate PIN codes for your users. Users themselves cannot create a new PIN in the MyQ Web Interface and they also cannot reset a PIN they have forgotten.