We have a new print system where students can sign in using their
username and a 4-digit PIN code. The problem is that the PIN is
peculiar to this system and students do not know what it is.

So, we can generate a PIN for each student (using an Identity Manager
driver for example) and send it to them by email. We then define the
form fill policy to use a shared secret for the PIN. The user then
enters the PIN first time and thereafter Access Manager remembers the
PIN. However, generating 25,000 PINS and emaling them to students is a
big admin and communication problem, especially when it is for one
service. However, this method is secure.

Another idea involves not telling the students about the PIN at all, but
instead saving the generated PIN directly to the userstore. We then
modify the form-fill policy to auto-fill this pre-defined value; the
result is that the student is completely unware of the PIN as he never
sees the login form. The problem with this is that the PIN would have
to be stored in clear text in eDirectory. We could prevent
non-privileged users from reading by making in non-public and making
sure only certain trustees had permission to read it, however, I am a
bit concerned about the security of the PIN in this case. This method is
easier but not so secure.

Does anyone have a suggestion as to which option is best? Or is there
another way?

Any advice is welcome.
Steve Tennant

sttennant's Profile: https://forums.netiq.com/member.php?userid=389
View this thread: https://forums.netiq.com/showthread.php?t=50039