Extension for frontend use (component + plugin) that asks for a PIN number for added account security.
Purpose: To add security to user accounts. The component will display a form for the user to enter a 4 to 6-digit PIN on first login. Then the component will prompt the user for that pin under certain conditions.
Deadline:
1 week from project approval
Requirements:
Joomla 1.5 native application using the Joomla Framework in MVC.
Absolutely no hack to the Joomla code.
Developer experienced with the Joomla framework only.
Sessions may be used.
Database for the component:
- table name: user_pin
id, userid, pin, cell, timestamp, unlockcode, tries
- table name: user_ips (for authorized IPs)
id, userid, IP
Description:
1) Get user's PIN
After the user's first login is successful, a plugin will detect if that user has a PIN in the system or not. If not, the page will redirect to the component.
The component view will be a form with some text and three fields: enter your PIN, verify your PIN and enter your cell phone number. Pin numbers can be 4 to 6 digits. Javascript will be used to check that PIN is only composed of digits and that there are 4 to 6 digits and that the two inputs match.
Once the form is validated and sent, the pin and cell number will be stored in the database along with the userid, user IP and the timestamp (date + time).
2) Prompt for PIN
If conditions are met (see #3), then we ask for the PIN. Plugin will detect the new user session and redirect the user to the component. The component view will be a form asking to enter the PIN.
If the PIN is correct then update the database with the IP (if new) and timestamp.
If the PIN is wrong: X tries (default 3) and then user will be able to reset his pin. See 4).
3) Conditions
The plugin will only prompt users after logging in, not in the middle of an active session. Conditions can be configured in the plugin configuration screen.
- when user has a different IP address
- when timestamp is greater than X days
- randomly (once per visit, but number of visits in between can be random) between X visits and Y visits (random between 5 and 10 visits)
- every X visits
- on every login (default)
4) Recovery/reset procedure
After 3 tries, the component will start the PIN reset process. At this time, the user has two options:
a. a reset code (randomly generated and stored in the db) can be sent by EMAIL to the user's email (the one used to register to the site)
b. a reset code (randomly generated) can be sent by SMS to the user's cell phone that is already in the db.
Once the user gets the code, he can enter it on the screen. If user logs out/ becomes inactive then stop. The plugin would detect that upon next login and will immediately start the reset process again without prompting for PIN.
If the code is entered correctly, component will prompt for PIN again.
Here is a working plugin that is only for the administration of Joomla and that uses that SMS functionality as a reference: [login to view URL]