Users of electronic payments systems and the like are typically required to authenticate themselves using one or more credential, such as a PIN or a passcode. For security reasons, it is important that the credentials are protected from unauthorised access; however, a legitimate user may forget a credential, and may therefore need to be re-advised of it in a secure manner. Conventionally, a user is authenticated manually, and the credential is sent out to the registered address of the user by mail.
The applicant's PCT Published Application No. WO-A-2007/096590 discloses a PIN servicing system using a smart card reader, in which a PIN servicing request is encrypted by the smart card and sent to a PIN servicing facility, which returns an encrypted PIN servicing message for decryption by the smart card. The PIN servicing message may include the user's PIN. Although this method is secure, it requires a dedicated smart card reader.
PCT Published Application No. WO-A-2010/028163 discloses a method of retrieving a PIN online, one character at a time. The PIN characters are decrypted before being sent to the user, and are therefore vulnerable to interception if the connection to the user is compromised.