SecurID® Discussions

Browse the SecurID discussion board to get product help and collaborate with other SecurID users.

Changing RSA PIN after regular intervals

We use RSA tokens for our MFA. We have a setup where people have their PIN setup and they use that in conjunction with their tokencode for second factor.


As per the setting done by our initial implementation engineer, people have to change their PIN every 90 days and also it cannot be same as any of their last 3 PINs.


I don't see much value in changing the PIN altogether as even if PIN gets compromised the token has to be compromised as well. The probability of both happening together is very minimal.


Also needless to say its a hassle for the user community because now they have to change their PIN just like their password. Most of the users don't do PIN chnage smoothly and then it increases the number of tickets for our RSA admin team


I just wanted to some feedback from the community if there are any real value in changing the PIN

Labels (1)
5 Replies
Apprised Contributor Apprised Contributor
Apprised Contributor

It's a policy question, and while policy should drive security, sometimes policy drives the appearance of security as in 'we have a policy for that'

I think it is a legitimate question to ask why changing your PIN every 90 days contributes to overall security and are there production and efficiency costs associated with this policy and are they worth the increase in security provided by that policy

There is no policy from Information Security that mandates PIN change.

But other than policy, is there a rationale on how changing the PIN improves the security. Even if it is, Is there a means to quantify the improvement in security.

0 Likes is never strong enough. It's nasty out there in the real world.


As a start...

Refer to ISC(2) CISSP documentation about password and pin changes, and two-factor authentication. ISC(2) has the largest body of work that is readily available to help you decide your risks and what policies might fit your scheme.


NIST is a good source for policy as well.  For example NIST Special Publication 800-63B Digital Identity Guidelines.


Sorry, I meant Policy in the generic sense, as in how a company plans to address Security issues, not specific Authentication Manager Security Console - Authentication - Policy settings (which should reflect what your generic Security Policy is trying to accomplish)