I kind of chuckled when I saw the securID card pictured at the left. I recall one of my cohort members at JMU mocking securID security because the fob is treated so insecure by users and the PIN even less so. Here’s the physical evidence.
It is bad enough that users are most likely using the same PIN for the securID, building access code, work voicemail, ATM, family voicemail, the bike lock and the luggage. This user carved the PIN into the back of the securID. (I bet you hold the securID upside down for extra PIN security)
After the RSA hack we implemented PIN expiration and a new minimum PIN length. Both would make carving a PIN into a securID card ineffective. Both would also tend to cause more people to write down the PIN.
So what do you to educate users about the risk of writing down the PIN? If this physical device were something they had to use every day, at least we would find out when it was lost within a week. Instead, I have visions of securID with PIN being lost and us not hearing about it for a while.