Hi Isura, On Mon, Jun 20, 2016 at 5:54 PM, Isura Karunaratne <[email protected]> wrote:
> Hi Thanuja, > > On Mon, Jun 20, 2016 at 1:35 PM, Thanuja Jayasinghe <[email protected]> > wrote: > >> Hi All, >> >> I'm working on $subject. >> >> We are planning to prevent this flow from brute force attacks by >> enabling followings, >> >> 1. Enable captcha/reCaptcha after n failed attempts >> 2. Lock the account after n failed attempts for a period of time >> >> >> *How to track failed attempts?* >> >> We already have a "http://wso2.org/claims/identity/failedLoginAttempts"; claim >> which used in the login flow to track failed login attempts. Since this is >> a different flow, using the same claim to track the failed password >> reset attempts will lead to unintended situations. (Ex: After n number >> of failed attempts in the login flow, a user may try to reset the password. >> In this case, the user will see captcha if the number of failed attempts >> reached to the maximum. But since this is the first time which the user >> tries to reset the password, captcha is redundant.) >> >> So we will introduce a new claim call " >> http://wso2.org/claims/identity/failedPasswordResetAttempts"; to track >> this. >> > > +1 for having a seperate claiam for tracking password reset faliled > attempts since it is different from login Attempts. > >> >> >> *Implementation* >> >> *Enable captcha/reCaptcha after n failed attempts* - New Captcha >> connector will introduce to handle this. The configuration of the connector >> UI will allow modifying connector according to the requirements. >> > >> *Lock the account after n failed attempts for a period of time *- >> Account lock will handle from the identity recovery rest API logic. Also >> "PRE_SET_USER_CLAIMS" >> and "POST_SET_USER_CLAIMS" events will be reused to send notifications >> in case of account lock. >> > Where can we define the lock time?. Is it a new configuration or same > configuration used when account lock with invalid credentials? > > Yes, we are planning to use the same configuration used in "account lock with invalid credentials". Because we can consider this is a possible way for a user account get locked. > Thanks > Isura. > >> >> Appreciate your input. >> >> Thanks, >> Thanuja >> >> -- >> *Thanuja Lakmal* >> Senior Software Engineer >> WSO2 Inc. http://wso2.com/ >> *lean.enterprise.middleware* >> Mobile: +94715979891 +94758009992 >> >> _______________________________________________ >> Architecture mailing list >> [email protected] >> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >> >> > > > -- > Isura Dilhara Karunaratne > Senior Software Engineer > > Mob +94 772 254 810 > > > _______________________________________________ > Architecture mailing list > [email protected] > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > > Thanks, -- *Thanuja Lakmal* Senior Software Engineer WSO2 Inc. http://wso2.com/ *lean.enterprise.middleware* Mobile: +94715979891 +94758009992
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
