Hi All, I'm working on $subject.
We are planning to prevent this flow from brute force attacks by enabling followings, 1. Enable captcha/reCaptcha after n failed attempts 2. Lock the account after n failed attempts for a period of time *How to track failed attempts?* We already have a "http://wso2.org/claims/identity/failedLoginAttempts"; claim which used in the login flow to track failed login attempts. Since this is a different flow, using the same claim to track the failed password reset attempts will lead to unintended situations. (Ex: After n number of failed attempts in the login flow, a user may try to reset the password. In this case, the user will see captcha if the number of failed attempts reached to the maximum. But since this is the first time which the user tries to reset the password, captcha is redundant.) So we will introduce a new claim call " http://wso2.org/claims/identity/failedPasswordResetAttempts"; to track this. *Implementation* *Enable captcha/reCaptcha after n failed attempts* - New Captcha connector will introduce to handle this. The configuration of the connector UI will allow modifying connector according to the requirements. *Lock the account after n failed attempts for a period of time *- Account lock will handle from the identity recovery rest API logic. Also "PRE_SET_USER_CLAIMS" and "POST_SET_USER_CLAIMS" events will be reused to send notifications in case of account lock. Appreciate your input. Thanks, Thanuja -- *Thanuja Lakmal* Senior Software Engineer WSO2 Inc. http://wso2.com/ *lean.enterprise.middleware* Mobile: +94715979891 +94758009992
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
