I’m developing an additional security module for a web application, which asks the user to enter a PIN code randomly generated at user signup. The PIN is stored AES-128 encrypted in a db and sent by sms to the new user.
The user will be ask to provide his PIN when certain situations occur (i.e. “strange” accesses, or unusual operations) – and i’d like the user not to enter the entire PIN code, but just 2 digit (for example: the 1st and the 6th).
2 4 6 2 9 1 8 3 -> entire PIN
^---------^---- -> digits i'm asking
My question is: is the a more secure way to choose which digits to ask? Should i choose them randomly (but an eventual attacker who owns part of the pin could retry until the digits he owns are requested) or should i ask each user always for the same digits – maybe storing their indexes encrypted with the PIN, or generate them with a function parametrized with the PIN itself?
Thanks.
The way I find most online banking software implements this is that once it’s asked for two digits it will keep asking for the same until the user either blocks the account (from too many wrong attempts) or answers it correctly. After this another 2 digits is randomly selected for next time.
As far as I know this is the only way to mitigate an attacker simply reloading until they get a combination they desire.