A token policy defines users’ RSA SecurID PIN lifetime and format, and fixed passcode lifetime and format, as well as how a deployment handles users or unauthorized people who enter a series of incorrect passcodes. A passcode is a SecurID PIN + a tokencode. The tokencode is the number displayed on the front of a SecurID token.
You assign token policies to security domains. The token policy applies to all users assigned to that security domain.
When a user authenticates with a token, the token policy being enforced belongs to the users’ security domain, rather than to the token’s security domain. For example, if a user assigned to the New York security domain authenticates with a token assigned to the Boston security domain, the token policy of the New York security domain dictates policy requirements.
When you edit a token policy, existing PINs and fixed passcodes are not validated against the excluded words dictionary and history requirements. They are, however, validated against all other policy requirements.
Token policies assigned to upper-level security domains are not inherited by lower-level security domains. For example, if you assign a custom policy to the top-level security domain, all new security domains that you create below it in the hierarchy are still assigned the default token policy.
You need to balance security needs with consideration of what is reasonable to expect from users. Requiring a long PIN may be counterproductive and hard to remember, locking more users out of the network and generating calls to the Help Desk.