I am currently working on a web application with a significant security risk attached to its function. We're using Microsoft Identity Framework to handle user logins, with the system forcing strong passwords and registration having the extra layer of email confirmation being required before first use.
We have a feeling that this is not entirely sufficient. One of our competitors uses a two-step login system with a password followed by the user entering three digits from a six-digit PIN by drop down. There is a suggestion that we should copy this.
Personally, I'm uncomfortable with implementing such a solution without better understanding its pros and cons versus the alternatives. It strikes me that an extra data layer entry which is immune from keylogging is not a significant extra piece of security. Surely if an attacker already has an email/password combination, almost any conceivable way they could have obtained this will also result in them having the PIN?
The obvious alternative to strengthening security is to have a two-factor authentication via SMS. This will incur a cost, but if security is paramount it would seem to actually add significant protection to the system over a PIN, which I believe will to add almost none.
What's the point of having an extra PIN authentication? Does it have any advantages over 2-factor authentication?
EDIT: The proposed PIN solution would issue the user with a randomly generated 6 digit number via email. When logging on to the site they would first have to enter a password (which may, of course, be stored by the browser). If successful, they would then be challenged to enter three randomly selected digits from the six (i.e. enter the first, second and fifth characters from your PIN) via drop down box.
On reflection, I guess this does at least stop unauthorized access via someone relying on a stored password from the browser.