[F1 [F24.1.2. User identification and authentication U.K.
[UIA_207] The VU shall permanently and selectively track the identity of two users, by monitoring the tachograph cards inserted in respectively the driver slot and the co-driver slot of the equipment.
[UIA_208] The user identity shall consist of:
a user group:
DRIVER (driver card),
CONTROLLER (control card),
WORKSHOP (workshop card),
COMPANY (company card),
UNKNOWN (no card inserted),
a user ID, composed of:
the card issuing Member State code and of the card number,
UNKNOWN if user group is UNKNOWN.
UNKNOWN identities may be implicitly or explicitly known.
[UIA_209] The VU shall authenticate its users at card insertion.
[UIA_210] The VU shall re-authenticate its users:
at power supply recovery,
periodically or after occurrence of specific events (TBD by manufacturers and more frequently than once per day).
[UIA_211] Authentication shall be performed by means of proving that the card inserted is a valid tachograph card, possessing security data that only the system could distribute. Authentication shall be mutual and triggered by the VU.
[UIA_212] In addition to the above, workshops shall be required to be successfully authenticated through a PIN check. PINs shall be at least 4 characters long.
Note: In the case the PIN is transferred to the VU from an outside equipment located in the vicinity of the VU, PIN confidentiality need not be protected during the transfer. U.K.
[UIA_213] The VU shall detect and prevent use of authentication data that has been copied and replayed.
[UIA_214] After 5 consecutive unsuccessful authentication attempts have been detected, the SEF shall:
generate an audit record of the event,
warn the user,
assume the user as UNKNOWN, and the card as non valid (definition z) and requirement 007).] ]