Users with RSA SecurID tokens can use Hitachi ID Password Manager for PIN reset or to clear forgotten PINs, to resynchronize their token clock with the RSA Authentication Manager, to enable or disable their token and to get emergency access pass-codes.
Organizations that have RSA SecurID tokens should allow users to clear or reset their PINs, resynchronize token clocks with the ACE server and enable/disable their own tokens. All of this should be accessible in a self-service facility, with password authentication.
There is no security impact to the above -- PIN resets in particular substitute one secret (a user's password) for another (the same user's PIN).
Support staff should be able to perform the same functions, after a reliable caller authentication process. Some organizations may also allow empower staff to issue emergency access numbers for users who misplaced their token and need access to infrastructure protected by token authentication.
Enabling self-service access to emergency pass codes reduces the security of tokens from two factor (hardware + PIN) to one factor (the password used to access self-service). This feature should only be enabled if token security can be safely reduced to password security.