Changing RSA PIN after regular intervals
We use RSA tokens for our MFA. We have a setup where people have their PIN setup and they use that in conjunction with their tokencode for second factor.
As per the setting done by our initial implementation engineer, people have to change their PIN every 90 days and also it cannot be same as any of their last 3 PINs.
I don't see much value in changing the PIN altogether as even if PIN gets compromised the token has to be compromised as well. The probability of both happening together is very minimal.
Also needless to say its a hassle for the user community because now they have to change their PIN just like their password. Most of the users don't do PIN chnage smoothly and then it increases the number of tickets for our RSA admin team
I just wanted to some feedback from the community if there are any real value in changing the PIN
- Auth Manager
- Authentication Manager
- Community Thread
- Forum Thread
- RSA Authentication Manager
- RSA SecurID
- RSA SecurID Access
It's a policy question, and while policy should drive security, sometimes policy drives the appearance of security as in 'we have a policy for that'
I think it is a legitimate question to ask why changing your PIN every 90 days contributes to overall security and are there production and efficiency costs associated with this policy and are they worth the increase in security provided by that policy
There is no policy from Information Security that mandates PIN change.
But other than policy, is there a rationale on how changing the PIN improves the security. Even if it is, Is there a means to quantify the improvement in security.
Well...security is never strong enough. It's nasty out there in the real world.
As a start...
Refer to ISC(2) CISSP documentation about password and pin changes, and two-factor authentication. ISC(2) has the largest body of work that is readily available to help you decide your risks and what policies might fit your scheme.
Sorry, I meant Policy in the generic sense, as in how a company plans to address Security issues, not specific Authentication Manager Security Console - Authentication - Policy settings (which should reflect what your generic Security Policy is trying to accomplish)