What extra security does a 2-step website login process with a PIN provide?
I find it hard to see what security benefits this could provide. In multifactor authentication, the point is to use different factors — i.e., "something you know", "something you have", "something you are". Just repeating the same factor twice seems a bit pointless.
But let me speculate some about what the purpose could be.
1. Stop keyloggers
Only dumb malware tries to get passwords by blindly logging key strokes. Requiring the use of a drop down menu may protect against some malware, but in the end trying to hide user input when the computer is already infected is a loosing game. See this question for a related discussion. In the end, I think the benefits are small here.
2. Increase entropy
If you add a six digit PIN to the password, you get 106 times as many combinations to brute force or almost 20 extra bits of entropy, right? (Or 103 times or 10 bits if you only count the three digits entered.) Yeah, but why not just require a longer password?
Perhaps you want to split it in two to make one part (the PIN) truly random and thereby give protection to users who pick weak passwords. But what does this protect against? For online attacks, you should already have rate limiting in place to deal with this. For offline attacks, you would need to hash the PIN together with the password to get any benefits. But since you can log in providing only three out of six digits they don't seem to be doing this (unless they keep 20 hashes for all possible digit combinations).
3. Limit the effect of stolen passwords
Let's say your password gets stolen (say in a phishing attack). If the attack is only performed once, the attacker will only get half of the PIN. She will therefore not be able to easily log in if she is asked for other digits than the ones she got.
I don't see this as a big benefit. Just repeat the attack a couple of times, or attempt to login multiple times (or from different IP's) until you are prompted for the digits you have.
Drawbacks
- It makes users more likely to write the PIN (and perhaps the password while they are at it) down on a post it or an email.
- You can not log in using only a password manager. Why make it harder for people who use safe methods to manage their passwords?
Conclusion
I can't see any security benefits that would motivate having the user memorise an extra PIN and go through the hassle of picking numbers from drop down menus. To me this smells of security theater. But perhaps I am missing something.
Edit: Yes, I did miss something. See supercat's answer. It's a very good point, but I'm not sure I would think it is worth it anyway.
A system which locks out an account, even temporarily, in response to invalid password attempts will make it very easy to conduct a denial-of-service attack against someone. Using a two-part authentication makes it possible to have very strict lockout policies on the second part while still remaining resistant to denial-of-service attacks. If someone found out that a person's password on one system was Justin-Bieber, a system with a single part password wouldn't be able to distinguish targeted break-in attempts using variations on that password (e.g. Justin-Bieber1, Justin4Bieber, etc.) from random password entries which are intended to trigger a denial-of-service.
Splitting the password into two parts would mean that an attacker would get notice that the first part was correct but the most likely prize would not be access to the account, but merely the ability to trigger a lockdown on it until the real user authenticates via other means; since the user would know that someone else had the primary password, the user would then change that password, rendering it useless.
If you want strong authentication without the cost of sending SMS you can use TOTP with the Google authenticator app.
Indeed, the pin solution doesn't seem to add a lot of additional security. I also don't fully understand the mechanism. They enter 3 digits from a 6 digit pin. How did they obtain the 6 digit pin and how are the tree digits selected? Also 10^3 is not such a large number, meaning the pin can be brute forced if no measures are taken. If you can clarify the pin mechanism I might be able to give more insights on it's security benefits.
EDIT: based on your update this is already a weak form of two factor authentication since the pin is communicated via e-mail. Why there are 3 digits selected out of the 6 in the e-mail is still a mystery to me. The reason I say 'weak' is because 3 digit pin code is very short and can be brute forced if no other protection is present.
Also, the dropdown thing to prevent keyloggers from logging the pin is a really weak form of protection. If you have the capability of logging keystrokes you also have the capability to check which number is selected. Or does anyone believe there are cases where keylogging is possible but monitoring clicks is not? Maybe in a hardware keylogger?