PINs can be set in Insight as a method of two-factor authentication. The option to turn PINs on or off is found in role options.
When a PIN is in use, a user will need to know their username and password to log in, as well as their PIN. After entering their username and password correctly a four-digit PIN will be emailed and/or texted to them (using the details found on their account).
All PINs will expire within 24 hours, after which time the user would need to retrieve a new PIN from their email address / phone when they try to log in.
If you enable Time based one time pin authentication by setting the relevant web.config file setting (TOTP), a QR code will be displayed as users attempt to log in. After grabbing the image in an RFC compatible authentication app and logging in, the rolling codes must be used each time.
If you use Duo Security, you can add a file DUO.CONFIG to the root Insight folder, which should contain three lines: your Integration Key, your Secret Key, and your Host Key. In the presence of this file, Insight will check the entered PIN against Duo.