I'm currently building a web based membership application form that will require a user to enter an SSN and other identifiable information. Part of the requirements of the membership application is to allow a user to be able to resume their application and pre-fill of the information they already entered into the form fields. The stakeholders do not want to burden the user with a username and password. We have come up with the following alternative authentication method.
A user can start an application and click a button to "Save" their application. When they click "Save" an email is sent to them and they receive a 6 character alpha numeric reference code.
To "resume" the application the user must then enter the 6 character reference code as well as their birth date, last name, and last four digits of their SSN.
My question is, on a scale of 1 to 10 what would the risk factor in allowing a user to authenticate in this manner. What is the probability that someone could load someone else's application if they brute force attacked the web based form. And if the risk scale is high, then what can I do to increase the security on this form. I can't implement a password system and the reference code needs to be simple enough that someone could over the phone present the code to a customer service agent.
Reference Codes will expire after 1 week on non-use. Reference Codes will expire once the form has been submitted. The web application is using HTTPS and TLS to transfer the data.
About 200 applications will be submitted per week, so around a max of around 200 applications might have active reference codes in a given week.