What extra security does a 2-step website login process with a PIN provide?

Question

I am currently working on a web application with a significant security risk attached to its function. We're using Microsoft Identity Framework to handle user logins, with the system forcing strong passwords and registration having the extra layer of email confirmation being required before first use.

We have a feeling that this is not entirely sufficient. One of our competitors uses a two-step login system with a password followed by the user entering three digits from a six-digit PIN by drop down. There is a suggestion that we should copy this.

Personally, I'm uncomfortable with implementing such a solution without better understanding its pros and cons versus the alternatives. It strikes me that an extra data layer entry which is immune from keylogging is not a significant extra piece of security. Surely if an attacker already has an email/password combination, almost any conceivable way they could have obtained this will also result in them having the PIN?

The obvious alternative to strengthening security is to have a two-factor authentication via SMS. This will incur a cost, but if security is paramount it would seem to actually add significant protection to the system over a PIN, which I believe will to add almost none.

What's the point of having an extra PIN authentication? Does it have any advantages over 2-factor authentication?

EDIT: The proposed PIN solution would issue the user with a randomly generated 6 digit number via email. When logging on to the site they would first have to enter a password (which may, of course, be stored by the browser). If successful, they would then be challenged to enter three randomly selected digits from the six (i.e. enter the first, second and fifth characters from your PIN) via drop down box.

On reflection, I guess this does at least stop unauthorized access via someone relying on a stored password from the browser.

Answer 1

I find it hard to see what security benefits this could provide. In multifactor authentication, the point is to use different factors — i.e., "something you know", "something you have", "something you are". Just repeating the same factor twice seems a bit pointless.

But let me speculate some about what the purpose could be.

1. Stop keyloggers

Only dumb malware tries to get passwords by blindly logging key strokes. Requiring the use of a drop down menu may protect against some malware, but in the end trying to hide user input when the computer is already infected is a loosing game. See this question for a related discussion. In the end, I think the benefits are small here.

2. Increase entropy

If you add a six digit PIN to the password, you get 10⁶ times as many combinations to brute force or almost 20 extra bits of entropy, right? (Or 10³ times or 10 bits if you only count the three digits entered.) Yeah, but why not just require a longer password?

Perhaps you want to split it in two to make one part (the PIN) truly random and thereby give protection to users who pick weak passwords. But what does this protect against? For online attacks, you should already have rate limiting in place to deal with this. For offline attacks, you would need to hash the PIN together with the password to get any benefits. But since you can log in providing only three out of six digits they don't seem to be doing this (unless they keep 20 hashes for all possible digit combinations).

3. Limit the effect of stolen passwords

Let's say your password gets stolen (say in a phishing attack). If the attack is only performed once, the attacker will only get half of the PIN. She will therefore not be able to easily log in if she is asked for other digits than the ones she got.

I don't see this as a big benefit. Just repeat the attack a couple of times, or attempt to login multiple times (or from different IP's) until you are prompted for the digits you have.

Drawbacks

• It makes users more likely to write the PIN (and perhaps the password while they are at it) down on a post it or an email.
• You can not log in using only a password manager. Why make it harder for people who use safe methods to manage their passwords?

Conclusion

I can't see any security benefits that would motivate having the user memorise an extra PIN and go through the hassle of picking numbers from drop down menus. To me this smells of security theater. But perhaps I am missing something.

Edit: Yes, I did miss something. See supercat's answer. It's a very good point, but I'm not sure I would think it is worth it anyway.

Answer 2

A system which locks out an account, even temporarily, in response to invalid password attempts will make it very easy to conduct a denial-of-service attack against someone. Using a two-part authentication makes it possible to have very strict lockout policies on the second part while still remaining resistant to denial-of-service attacks. If someone found out that a person's password on one system was Justin-Bieber, a system with a single part password wouldn't be able to distinguish targeted break-in attempts using variations on that password (e.g. Justin-Bieber1, Justin4Bieber, etc.) from random password entries which are intended to trigger a denial-of-service.

Splitting the password into two parts would mean that an attacker would get notice that the first part was correct but the most likely prize would not be access to the account, but merely the ability to trigger a lockdown on it until the real user authenticates via other means; since the user would know that someone else had the primary password, the user would then change that password, rendering it useless.

Answer 3

If you want strong authentication without the cost of sending SMS you can use TOTP with the Google authenticator app.

Indeed, the pin solution doesn't seem to add a lot of additional security. I also don't fully understand the mechanism. They enter 3 digits from a 6 digit pin. How did they obtain the 6 digit pin and how are the tree digits selected? Also 10^3 is not such a large number, meaning the pin can be brute forced if no measures are taken. If you can clarify the pin mechanism I might be able to give more insights on it's security benefits.

EDIT: based on your update this is already a weak form of two factor authentication since the pin is communicated via e-mail. Why there are 3 digits selected out of the 6 in the e-mail is still a mystery to me. The reason I say 'weak' is because 3 digit pin code is very short and can be brute forced if no other protection is present.

Also, the dropdown thing to prevent keyloggers from logging the pin is a really weak form of protection. If you have the capability of logging keystrokes you also have the capability to check which number is selected. Or does anyone believe there are cases where keylogging is possible but monitoring clicks is not? Maybe in a hardware keylogger?

Answer 4

The point of multi-factor authentication is to require information from multiple sources so that if a user is compromised in one way (say they write their password down somewhere and it's found), then there is still a layer of security preventing account access.

Usually, the three types of authentication information are something you

• know - like a password or a pin number you've memorized
• have - a phone or some other access token you keep on you
• are - a fingerprint or other biometric

Both a password and pin are considered in the first category, so the pin likely doesn't add much extra security considering there's a risk that they could both be compromised at the same time (sure, there's no/less risk of keylogging. But what if the information is intercepted over the network or some other form of capture?).

As for advantages, it's hard to say without more information. In this case, it sounds like having a pin is cheaper than doing a "proper" two-factor authentication system. Maybe the threat model is keyloggers on user computers, and this might be an appropriate fix.

Answer 5

What's going on here is that your competitor is trying to use a poor man's substitute in place of a robust second-factor for authentication. For whatever business reasons they don't want to deal with putting in place the infrastructure on their end to implement a one-time code/OTP mechanism (the most common 2FA setup) to provide that robust second authentication factor. (Or turn to a third-party to handle implementing OTPs for them under an authentication-as-a-service model.) The results of this are rather predictable: for reasons others have pointed out this poor man's substitute isn't nearly as difficult for an attacker to overcome as a 2FA mechanism where you must get a one-use code from a separate device ("something you have") each time you sign in.

nevertheless, there are some things about this arrangement that make it somewhat preferable to just using a password for authentication alone. By far, the two greatest problems with relying only on a password to authenticate a user are (a) the fact that a great many users liberally reuse passwords across many accounts and (b) the tendency of a great many users to choose easier-to-remember but very weak passwords. Requiring entry of a PIN that has been randomly generated by the service provides a pretty significant additional layer of protection against these huge threats. (Although distributing that PIN via email is a lousy practice, for a number of reasons.)

Of course, none of that will help you a great deal if an attacker can get malware on to your PC/device that will record your PIN as you enter it. Or if he or she can trick you into entering it into a phishing site. Here, the drop-down arrangement of entering three random digits from the six-digit PIN might provide some modest benefit in some scenarios. Many modern keyloggers will take screenshots of the mouse cursor every time the user clicks something, but some simpler/more rudimentary malware still sticks to capturing only keystrokes. Regarding theft of the PIN via phishing...well, here there's even less utility provided, simply because needing to input three randomly selected digits out of a PIN comprised of only six digits usually isn't going that imposing a problem. (Again, for reasons others have already well explained.) Still, one could argue that in some scenarios that arrangement may provide some bit (if a small bit) of additional utility vs. simply having the user enter their full PIN each time. (Maybe.)

All of the above being said, using a real two-factor authentication setup would certainly be preferable from a security standpoint. Especially if you're using one-use codes/OTPs generated by a hardware token (most secure) or smartphone authenticator app. No real contest.

Answer 6

The "part that you know" second factor could be which 3 of the 6 emailed characters to use (Mary uses 1st, 2nd, 5th, John: 1-2-6, Fred and Janet: 4-5-6)... not certain how you'd teach your folks which ones, but once taught that secret shouldn't have to be transmitted again. And then use tight lockdowns too.

SMS is potentially vulnerable to stingray but take that with a grain of salt--sized for how motivated people are to break into your system.