My company permits remote access with authentication that includes:
- username
- password/phrase (20+ characters)
- User selected PIN + RSA SecurID token code
Our passwords are required to be changed every 6 weeks, and of course the SecurID token changes every 60 seconds.
Recently the policy has been modified slightly requiring the PIN to be changed every 12 months (there was previously no requirement to change the PIN). I can't personally see how this increases security, but I'm not an expert.
What security benefit does a PIN change policy like this give, and more specifically (if possible), what threat / attack is mitigated by this?