When using the PIN and Token for some time what happens to user's passwords? Do they still expire according to the user's password expiration interval? Is FALLBACK used to handle this in case AAM is unavailable for sign on?
Once a user begins to utilize MFA RSA credentials (e.g., PIN+TOKEN), their TSS password is still valid, but unless periodically changed, their password will eventually expire and be suspended if using a non-zero INACTIVE option. Some RSA sites opt to run NOFALLBACK, trusting in the reliability of the RSA server and AAM. Some set the FALLBACK attribute for privileged ACIDS only, and globally run NOFALLBACK. Others instruct their end-users to periodically change their passwords to avoid suspension.