This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Discussions

Browse the SecurID discussion board to get product help and collaborate with other SecurID users.
SimardeepKalra1
Beginner
Beginner
‎2017-08-14 12:56 PM

Changing RSA PIN after regular intervals

We use RSA tokens for our MFA. We have a setup where people have their PIN setup and they use that in conjunction with their tokencode for second factor.

 

As per the setting done by our initial implementation engineer, people have to change their PIN every 90 days and also it cannot be same as any of their last 3 PINs.

 

I don't see much value in changing the PIN altogether as even if PIN gets compromised the token has to be compromised as well. The probability of both happening together is very minimal.

 

Also needless to say its a hassle for the user community because now they have to change their PIN just like their password. Most of the users don't do PIN chnage smoothly and then it increases the number of tickets for our RSA admin team

 

I just wanted to some feedback from the community if there are any real value in changing the PIN

Labels (1)
0 Likes
Reply
5 Replies
JayGuillette
Apprised Contributor Apprised Contributor
Apprised Contributor
‎2017-08-14 01:43 PM

It's a policy question, and while policy should drive security, sometimes policy drives the appearance of security as in 'we have a policy for that'

I think it is a legitimate question to ask why changing your PIN every 90 days contributes to overall security and are there production and efficiency costs associated with this policy and are they worth the increase in security provided by that policy

Reply
SimardeepKalra1
Beginner
Beginner
In response to JayGuillette
‎2017-08-14 02:07 PM

There is no policy from Information Security that mandates PIN change.

But other than policy, is there a rationale on how changing the PIN improves the security. Even if it is, Is there a means to quantify the improvement in security.

0 Likes
Reply
EdwardDavis
Employee
Employee
In response to SimardeepKalra1
‎2017-08-15 08:27 AM

Well...security is never strong enough. It's nasty out there in the real world.

 

As a start...

Refer to ISC(2) CISSP documentation about password and pin changes, and two-factor authentication. ISC(2) has the largest body of work that is readily available to help you decide your risks and what policies might fit your scheme.

0 Likes
Reply
TedBarbour
Employee
Employee
In response to EdwardDavis
‎2017-08-15 10:29 AM

NIST is a good source for policy as well.  For example NIST Special Publication 800-63B Digital Identity Guidelines.

0 Likes
Reply
JayGuillette
Apprised Contributor Apprised Contributor
Apprised Contributor
In response to SimardeepKalra1
‎2017-08-15 10:43 AM

Sorry, I meant Policy in the generic sense, as in how a company plans to address Security issues, not specific Authentication Manager Security Console - Authentication - Policy settings (which should reflect what your generic Security Policy is trying to accomplish)

0 Likes
Reply
© 2023 RSA Security LLC or its affiliates. All rights reserved.