When I was tasked with revamping the current iteration of Only1, I was initially overwhelmed - especially given what was requested. The idea was to increase the security around our password management so that we no longer relied solely on the last four of SSN and DOB to verify a user. The solution was a set of three security questions set up by the user when they first log-in to change their password. Sounds simple enough, right? Kind of.
The first question comes from a set of pre-defined questions. These were pretty generic and similar to the ones you might see on other sites (mother's maiden name, high school mascot, etc.).
The second question allows the user to type their own question and answer. This was so it would be difficult for two users to have the same security questions and thus knowing one another's answers.
The third question, and one that I initially thought would be difficult to program, involves a set of images unique to the user. When a user logs in, their username is assigned a set of 10 images - these images will always remain the same for the user and will always appear in the same order. This type of user verification is similar to what you might see on a banking website. With this third question, we can be sure that no two users will have the same answers.
Once the account is set-up, the user is given three options to proceed - the old username/SSN/DOB combo and two new methods. The first new method allows the user to enter their username and current password which would take them directly a change password page. The second new option allows the user to enter their username and then answer the three security questions previously set-up as verification before proceeding to the change password page. The existing username/SSN/DOB method still exists and requires answering the verification questions.
Once logged in, the user can also manage their account. This is helpful in the event a user feels their verification questions have been compromised or forgotten.
Only1 version 4 has been live since Monday and seems to be running smoothly so far.