We use RSA tokens for our MFA. We have a setup where people have their PIN setup and they use that in conjunction with their tokencode for second factor.
As per the setting done by our initial implementation engineer, people have to change their PIN every 90 days and also it cannot be same as any of their last 3 PINs.
I don't see much value in changing the PIN altogether as even if PIN gets compromised the token has to be compromised as well. The probability of both happening together is very minimal.
Also needless to say its a hassle for the user community because now they have to change their PIN just like their password. Most of the users don't do PIN chnage smoothly and then it increases the number of tickets for our RSA admin team
I just wanted to some feedback from the community if there are any real value in changing the PIN