CA CloudMinder Advanced Authentication › How Advanced Authentication Works › End User Authentication Flows › ArcotID OTP Flows › Forgot My PIN Flow

Forgot My PIN Flow

This section describes how end users who forget their PIN can reset it.

The flow described here is based on the following assumptions:

• An ArcotID OTP credential has been issued to the end user.
• The end user had set the PIN at the time of enrollment, but has forgotten it.

End users can reset their PIN as follows:

1. When trying to access a protected resource in a browser, the end user is prompted for their user name and OTP.
2. The end user, who has forgotten their PIN, specifies their user name and clicks the Help icon next to the One Time Password field.

   The resulting help page provides three links to enroll for advanced authentication, reset PIN, and perform roaming authentication.

3. The end user clicks the Forgot my PIN link.
4. On the resulting page, the end user completes secondary authentication with the security question and answer or security code mechanism.
5. Depending on whether two-step authentication is enabled or not, either of the following steps take place:
   • If two-step authentication is not enabled, a list of available secondary authentication mechanisms is displayed to the end user. The end user selects one and completes the authentication flow by providing the correct info.
   • If two-step authentication is enabled:
     1. The end user is authenticated again using another form of secondary authentication.

     Note: If security question was used the first time, then security code is used in this step. Conversely, if security code was used the first time, then security question is used in this step.

     1. If the verification is successful, the end user is sent an activation email with a one-time password.
6. The end user is prompted for this one-time password or to complete questions and answers, after which they can set a new PIN and confirm the same.
7. On resetting their PIN, the user receives a new OTP credential. The end user is then taken back to the login page to proceed with authentication.