ragren (Customer) to rsaSFDCadmin (RSA): asked a question.

February 1, 2023 at 7:33 PM
Passcode vs PIN
Hello - I hope this is a really quick answer but I haven't been able to find
it yet. In the token policy, I see min/max PIN and min/max Passcode. I
thought the passcode = PIN + Code from the RSA token so how can it have a
maximum of 8? What length am I limiting to 8? What is the benefit of matching
the PIN default settings?

Thank you! Rich
  • 1 answer
  • 510 views

  • EricaChalfin (RSA)

    [@ragren](https://community.rsa.com/t5/user/viewprofilepage/user-id/123338),

    No trouble at all! My answers are inline:



    Note: I am using hardware tokens as an example here, but are you using
    hardware or software tokens?



    * **If the passcode = PIN + 6-digit tokencode, and I set the PIN length to 6 (for example) then the minimum the passcode length in this situation is 12, right?**

    That is correct.

    * **And most PINs will probably be 6 or 8 digits so the minimum passcode should be 8 (4-digit PIN + 4-digit tokencode)**

    There will never be a 4 digit tokencode. Tokencodes on the hardware token fob
    will be either six digits on a hardware token or either six or eight digits
    with a software token that is on your desktop or device.

    Hardware token displaying six digits:

    ![EricaChalfin_2-1675294141040.jpeg](    https://community.rsa.com/t5/image/serverpage/image-
    id/418223iC6EB03BD0B43B1EF/image-dimensions/166x92?v=v2)

    Software token displaying eight digits (with PIN already entered because we
    can see that the label says passcode:

    ![EricaChalfin_3-1675294271623.jpeg](    https://community.rsa.com/t5/image/serverpage/image-
    id/418224iD00B505E8DA2DD31/image-dimensions/163x94?v=v2)

    * **The maximum at 16 assuming both the software token and the PIN are set to 8. **

    Correct.

    * **But why have a configurable setting at all that limits the passcode length if both the PIN and tokencode are set elsewhere? **

    Both the min PIN and max PIN values are set under **Authentication **>
    **Policies** > **Token Policies**. They are not set elsewhere.

    * **I'm attaching an image of the Fixed passcode format option from the token policy. The Minimum length is 6 and Maximum length is 8 in the image. What does "Maximum passcode length = 8" mean? **

    It means that the maximum length of a fixed passcode is eight characters.

    * **I don't want to change the PIN requirement to an 8-digit PIN without understanding what this passcode setting does in case it breaks something by me leaving it as is or changing it. Thanks again!!**

    The fixed passcode is a whole other thing and not the same as the passcode
    used when you use PIN + tokencode. Going back to your tokens, when you
    authenticate for the first time you create a PIN. You then use this PIN +
    passcode to authenticate. Every time you authenticate you use the same PIN but
    a different tokencode.

    For fixed passcodes you set a passcode of, let's say, 12345678, and it never
    changes. You do not use a PIN. Every time you authenticate you use only
    12345678. You can set acceptable min and max lengths for a fixed passcode,
    just as you can for a PIN, but they are not the same. Like I mentioned, fixed
    passcodes are great as an auth method for your admins when testing
    authentication issues because you are not sitting around waiting for 60
    seconds to test again (the longest 60 seconds **ever** , except maybe for the
    last minute when you want to take the popcorn out of the microwave). They are
    also good for service accounts that are automated to ensure authentication is
    working; on a Cisco switch, for example.

    The information below is from the Administrator's Guide and may be helpful to
    you:

    _Maximum Lifetime_ A fixed passcode can be used instead of a PIN and tokencode
    to authenticate. Fixed passcodes are not recommended because they eliminate
    the advantages of two-factor authentication. This setting determines the
    maximum amount of time that a user can keep a fixed passcode before being
    required to change it. For example, suppose the maximum fixed passcode
    lifetime is set to 90 days. If users change their fixed passcode on June 1,
    they must change it again on August 30. This setting prevents users from
    indefinitely keeping the same fixed passcode, which increases the likelihood
    that it might be guessed by an unauthorized person trying to access your
    network.

    _Minimum Lifetime_ The minimum amount of time that a fixed passcode can exist
    before the user can change it. For example, suppose the minimum lifetime is
    set to 14 days. If users change their fixed passcode on June 15, they cannot
    change it again until June 29. This setting prevents users from circumventing
    restrictions on reusing old fixed passcodes that may have previously been set.
    For example, suppose you restrict users from reusing their five most recent
    fixed passcodes. The minimum fixed passcode lifetime prevents users from
    immediately changing their fixed passcode six times so that they can reuse a
    particular fixed passcode.

    Bring on your next questions!
    Expand Post
    Selected as Best

  • EricaChalfin (RSA)

    [@ragren](https://community.rsa.com/t5/user/viewprofilepage/user-id/123338),

    No trouble at all! My answers are inline:



    Note: I am using hardware tokens as an example here, but are you using
    hardware or software tokens?



    * **If the passcode = PIN + 6-digit tokencode, and I set the PIN length to 6 (for example) then the minimum the passcode length in this situation is 12, right?**

    That is correct.

    * **And most PINs will probably be 6 or 8 digits so the minimum passcode should be 8 (4-digit PIN + 4-digit tokencode)**

    There will never be a 4 digit tokencode. Tokencodes on the hardware token fob
    will be either six digits on a hardware token or either six or eight digits
    with a software token that is on your desktop or device.

    Hardware token displaying six digits:

    ![EricaChalfin_2-1675294141040.jpeg](    https://community.rsa.com/t5/image/serverpage/image-
    id/418223iC6EB03BD0B43B1EF/image-dimensions/166x92?v=v2)

    Software token displaying eight digits (with PIN already entered because we
    can see that the label says passcode:

    ![EricaChalfin_3-1675294271623.jpeg](    https://community.rsa.com/t5/image/serverpage/image-
    id/418224iD00B505E8DA2DD31/image-dimensions/163x94?v=v2)

    * **The maximum at 16 assuming both the software token and the PIN are set to 8. **

    Correct.

    * **But why have a configurable setting at all that limits the passcode length if both the PIN and tokencode are set elsewhere? **

    Both the min PIN and max PIN values are set under **Authentication **>
    **Policies** > **Token Policies**. They are not set elsewhere.

    * **I'm attaching an image of the Fixed passcode format option from the token policy. The Minimum length is 6 and Maximum length is 8 in the image. What does "Maximum passcode length = 8" mean? **

    It means that the maximum length of a fixed passcode is eight characters.

    * **I don't want to change the PIN requirement to an 8-digit PIN without understanding what this passcode setting does in case it breaks something by me leaving it as is or changing it. Thanks again!!**

    The fixed passcode is a whole other thing and not the same as the passcode
    used when you use PIN + tokencode. Going back to your tokens, when you
    authenticate for the first time you create a PIN. You then use this PIN +
    passcode to authenticate. Every time you authenticate you use the same PIN but
    a different tokencode.

    For fixed passcodes you set a passcode of, let's say, 12345678, and it never
    changes. You do not use a PIN. Every time you authenticate you use only
    12345678. You can set acceptable min and max lengths for a fixed passcode,
    just as you can for a PIN, but they are not the same. Like I mentioned, fixed
    passcodes are great as an auth method for your admins when testing
    authentication issues because you are not sitting around waiting for 60
    seconds to test again (the longest 60 seconds **ever** , except maybe for the
    last minute when you want to take the popcorn out of the microwave). They are
    also good for service accounts that are automated to ensure authentication is
    working; on a Cisco switch, for example.

    The information below is from the Administrator's Guide and may be helpful to
    you:

    _Maximum Lifetime_ A fixed passcode can be used instead of a PIN and tokencode
    to authenticate. Fixed passcodes are not recommended because they eliminate
    the advantages of two-factor authentication. This setting determines the
    maximum amount of time that a user can keep a fixed passcode before being
    required to change it. For example, suppose the maximum fixed passcode
    lifetime is set to 90 days. If users change their fixed passcode on June 1,
    they must change it again on August 30. This setting prevents users from
    indefinitely keeping the same fixed passcode, which increases the likelihood
    that it might be guessed by an unauthorized person trying to access your
    network.

    _Minimum Lifetime_ The minimum amount of time that a fixed passcode can exist
    before the user can change it. For example, suppose the minimum lifetime is
    set to 14 days. If users change their fixed passcode on June 15, they cannot
    change it again until June 29. This setting prevents users from circumventing
    restrictions on reusing old fixed passcodes that may have previously been set.
    For example, suppose you restrict users from reusing their five most recent
    fixed passcodes. The minimum fixed passcode lifetime prevents users from
    immediately changing their fixed passcode six times so that they can reuse a
    particular fixed passcode.

    Bring on your next questions!
    Expand Post
    Selected as Best

Don't see what you're looking for?