I guess we discussed some of the options in a different thread too... Here are few things we should do to mitigate brute force attacks...
1. Lock the account after n number of failed login attempts - only the identity admin (or helpdesk admin) can unlock the account. 2. Lock the account after n number of failed login attempts - and automatically unlock the account after t minutes. 3. Lock the account after n number of failed login attempts - and unlock the account only when the account own clicks on a link sent to his registered email address. 4. Do not lock the account - after n number of failed login attempts display a captcha 5. Do not lock the account - incrementally increase the response time of the failed login responses In all these scenarios - we need to track all the data associated with the login request - and build an IP blacklist. Can we represent all the above scenarios as policies? Ideally, we should be able to engage these policies to users by the tenant, role or group, user store or globally... Thanks & regards, -Prabath On Thu, Jun 16, 2016 at 12:23 PM, Harsha Thirimanna <[email protected]> wrote: > Hi All, > > Currently We are working on $subject. > > When user tries to login using invalid credential until reach the maximum > attempts count, we lock the account for some specific time. After the time, > we allow to user to try again and it will be locked again after user tries > to login using invalid credential for the maximum attempts. Now we are > going to increase the lock time than the previous time. This ratio would be > a configurable value. > > As an another improvement when a registered user tries to login to the > system without email confirmation, inform him verification is pending and > give the ability to resend the confirmation code to the registered email > address. > > Your comments and suggestions are highly appreciated. > > thanks > > *Harsha Thirimanna* > Associate Tech Lead; WSO2, Inc.; http://wso2.com > * <http://www.apache.org/>* > *email: **[email protected]* <[email protected]>* cell: +94 71 5186770 * > *twitter: **http://twitter.com/ <http://twitter.com/afkham_azeez>* > *harshathirimannlinked-in: **http: > <http://lk.linkedin.com/in/afkhamazeez>**//www.linkedin.com/pub/harsha-thirimanna/10/ab8/122 > <http://www.linkedin.com/pub/harsha-thirimanna/10/ab8/122>* > > *Lean . Enterprise . Middleware* > > -- Thanks & Regards, Prabath Twitter : @prabath LinkedIn : http://www.linkedin.com/in/prabathsiriwardena Mobile : +1 650 625 7950 http://facilelogin.com
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
