Topic: member systems, security and best practices?

[micah]

I'm looking for a good article on implementing a website member system that integrates a PIN number, in addition to the standard Username and Password.

my bank's website does this and I think its a neat idea. you log in with your username and password to get around the site but when it comes to modifying certain information you have to first input your pin number.

I currently have a standard username/password site set up.  If you forget your password, you can enter your e-mail address and have the password sent to you.  In order to change your e-mail address, after logging in, you have to re-enter your password.  So as of now, I am pretty confident in how this part works.

If I add a PIN number, I would need a way to let the user reset it.  Having them change it would be easy because they would be logged into the site and would have to enter their pin number to change the pin number.  But what if they forget their PIN number?  I can't just e-mail it to them because that would defeat the purpose of the extra security:  anyone who could access the site with the username/password could then just change the user's e-mail address and then have the PIN sent to them.

My first solution to this scenario was, when a user's e-mail address is changed in the system, an e-mail is sent to the old address notifying them of the change.  That way, if someone else changed your address, you would know.  Then there is a link in that e-mail that you can click that reverts your address back to its old state then resets and e-mails you a new password.

But then the problem with this is, what if a user legitimately changes their address and the notice e-mail is sent and received by someone else who now has that persons old address?  That person would be able to reset the password and assume the identity - then log in and reset the PIN and have it sent to them.

My bank has a complex method to change the PIN, you have to enter your social security number and other personal information to reset your PIN - but my site does not collect that information - and the info it DOES collect is available to be viewed by the user in their profile when they log in.

I've tried to google some solutions but haven't had much luck.  thoughts? links?

[ober]

With my bank, the only way to reset a PIN is to actually call them or go through a series of electronic communications to someone at the customer service center.  I think that would probably be the most secure way to handle it.  I say tough shit on them if they lose the PIN.

[Steve]

I would rather need to jump through hoops and talk to 20 people to change my pin then have a simple reset. In this day and age as a service provider you can not afford to compensate for their stupidity. If they loose the pin, they may be annoyed at the lengthy process to correct it. But thats it. Now flip it and picture that same customer who had theirs stolen via the reset function. Yea, big problem vs small problem.

I'm with ober, if they loose it then it sucks for them.