How would you implement a 'challenge' question?

So, in the case of applications where security is of great importance - how would implement the challenge question idea. That is...you would:

• Detect if the computer IP has changed and hence ask for the challenge question.
• Detect if the cookie is missing.
• Detect if the computer name is different.
• Some combinations of the methods above?

I am currently working on a forex platform...in asp.net/c# and thinking on how to implement thi feature for best results. I think the best and only way will be to check for a cookie change - since if i base on the ip - the ip might be dinamic by the isp of the client - also if i count on computer name then it's not that bright since the computer might be used by more than the user in question...of course if i count on the cookie then the browser might be used by more than a single person...but this is why this is an additional security measure and not the very password/username authentification. Other than that getting the computer name (if possible??) + cookie change seems to be the best method. I am tagging this as c#/java since the 2 are very common these days when it comes to authentification and s开发者_StackOverflow中文版ecurity. 10x!

One thing facebook did that I thought was good... You can enable an option to have them put a cookie in your browser... Unique for each computer you use... Then if someone without a cookie in the browser logs in to your account, they send an email to you letting you know... I think they geolocate the source ip of the unknown computer and put it in the email as well... So if you live in the US, you wouldnt expect a login from Russia. Not everyone accepts cookies, but for those who do, this optional feature is great and financial firms should do it too...

My bank (and many others) rely on some form of constant two factor auth Could be as simple as your best friend's name, or if they're like my online broker, high value accounts over a certain balance threshold get a time based password token. You must login first with your password, and then with the token number.

Most financial sites used a hosted picture from their site that you choose to have displayed for your password logins... This helps reduce the risk of phishing losses.