After reading some topics in there about password expiration, and also after reading this comment, a question shown up in my mind: if we apply password expiration for the safety of users, should our door locks’ key also expire?
By door lock, I mean any physical restriction access we might have, so lock(s) on the server room door, on the company’s building entries (including maybe the backdoor for fire troopers or so), vaults, etc.
For physical-key based door locks, this would mean issuing a new metal key every X months/days/whatever, get the old key back and provide the new key to users (assuming they still are allowed to open the door). Sounds pretty heavy and complex, but it might help against copied keys or so.
For electronic-based door locks, this would mean reissuing new passwords/key accesses so the RFID/whatever card would need an upgrade with the new access key. Sounds lighter to do, even tho it still require all employee with an allowed access to do the upgrade one way another. Here, I assume the electronic card holds a “session token” somehow, not a never-changing user ID that the lock would compare to a database of allowed users (in such case, the user ID itself on both card and DB would need to be rotated).
So, is such policy applied in some companies, standards, etc or is that just a dumb idea I got?