Pin change policy for RSA SecurID

Question

My company permits remote access with authentication that includes:

1. username
2. password/phrase (20+ characters)
3. User selected PIN + RSA SecurID token code

Our passwords are required to be changed every 6 weeks, and of course the SecurID token changes every 60 seconds.

Recently the policy has been modified slightly requiring the PIN to be changed every 12 months (there was previously no requirement to change the PIN). I can't personally see how this increases security, but I'm not an expert.

What security benefit does a PIN change policy like this give, and more specifically (if possible), what threat / attack is mitigated by this?

Answer 1

Nothing really, if your environment already employs a 20+ character password then this PIN is kind of "doubling up" on this. The RSA tokens are usually deployed as a one stop solution. You log in with your user name, you know the password and you have the token (which gives a code). The trinity of who you are, something you know, something you have.

You have the extra layer of a strong password which is stronger than then pin used for the token.

I mean, correct me if I'm wrong? but i think the only thing that this protects against in these conditions are lost keys or old keys out in the wild that are unknown for some reason. Also an end of life process that is automatic, as the keys that are more than a year old will simply not be useful to anyone down the road.

Some of the more paranoid sysadmins might think if an attacker gets a key and knows who its from it might forever be a risk, since all they have to do is find out the rest of the details, having no end in sight to that system gives the attacker unlimited time, in theory, to do recon. This rule would provide a one year constraint on finding out the rest of the details required. A sort of automatic garbage collection if you will. But that's the only thing i can think of here.