[bbatchelder]

> First, all normal precautions would be taken (no common digit patterns - 1234, 1111, 2222, etc).

Why? All you are doing is further reducing an already limited key space.

This authentication scheme is bad, and you should feel bad. :)

[jonalexr]

Agreed, I'm just toying with the idea of finding the simplest way for a user to access a website securely. Haha, that's why I posted here before implementing it ;)

We'll be focusing on mobile, and the login process could be something like PayPal's mobile app where they let you login with your phone number and PIN (min 4 digits). I'm just looking for a secure way to translate that to a web app.

Something that could help - sessions could persist for an infinite amount of time, so upon first login we send them 4 random digits via SMS and if they enter it correctly they're authenticated. Basically two factor auth without the initial password.