When the default token policy is changed, all users assigned to Security Domain(s) are immediately assigned the new Ttoken policy, forcing users in the Security Domain(s) to change their PIN the next time they authenticate.
If you edit a token policy and check the box to make this policy the default policy, it changes the token policy configured within the Security Domain(s) to this Default Policy.
Procedure to set a default token policy
In the Security Console, navigate to Authentication > Policies > Token Policies > Manage Existing.
From the context menu of the chosen token policy, click Edit.
For Default Policy, select checkbox next to Set as default SecurID token policy, as shown below:
Let's say you have an Initial Token Policy that requires a minimum PIN length of four digits as your Default Token Policy
There is another token policy called Test Token Policy with a minimum PIN length of six digits.
A Security Domain called TestDomain has the Initial Token Policy assigned to it.
The TestDomain security domain has policies configured with SecurID Token Policy "Always Use Default"
Later the default policy is changed to Test Token Policy.
Once you save the default token policy change, TestDomain will have a token policy of Test Token Policy, effectively and all users in TestDomain will be challenged to set a new PIN if they have four-digit PIN. This is functioning as designed.
To avoid any unexpected results from the default policy change, use a custom policy instead of Always Use Default when you add a new Security Domain.
Procedure to assign a custom token policy to a Security Domain
In the Security Console, click Administration > Security Domains > Add New.
In the Security Domain Name field, enter a unique name.
From the SecurID Token Policy drop-down list, assign a SecurID token policy to the security domain.