This thread is also related to [Architecture][Dev][IS] Improvements in handling incorrect login attempts [1].
[1]: http://wso2-oxygen-tank.10903.n7.nabble.com/Dev-IS-Improvements-in-handling-incorrect-login-attempts-td138672.html Thanks & regards, -Prabath On Mon, Jun 20, 2016 at 1:05 AM, Thanuja Jayasinghe <[email protected]> wrote: > Hi All, > > I'm working on $subject. > > We are planning to prevent this flow from brute force attacks by enabling > followings, > > 1. Enable captcha/reCaptcha after n failed attempts > 2. Lock the account after n failed attempts for a period of time > > > *How to track failed attempts?* > > We already have a "http://wso2.org/claims/identity/failedLoginAttempts"; claim > which used in the login flow to track failed login attempts. Since this is > a different flow, using the same claim to track the failed password reset > attempts will lead to unintended situations. (Ex: After n number of > failed attempts in the login flow, a user may try to reset the password. In > this case, the user will see captcha if the number of failed attempts > reached to the maximum. But since this is the first time which the user > tries to reset the password, captcha is redundant.) > > So we will introduce a new claim call " > http://wso2.org/claims/identity/failedPasswordResetAttempts"; to track > this. > > > *Implementation* > > *Enable captcha/reCaptcha after n failed attempts* - New Captcha > connector will introduce to handle this. The configuration of the connector > UI will allow modifying connector according to the requirements. > > *Lock the account after n failed attempts for a period of time *- Account > lock will handle from the identity recovery rest API logic. Also > "PRE_SET_USER_CLAIMS" > and "POST_SET_USER_CLAIMS" events will be reused to send notifications in > case of account lock. > > Appreciate your input. > > Thanks, > Thanuja > > -- > *Thanuja Lakmal* > Senior Software Engineer > WSO2 Inc. http://wso2.com/ > *lean.enterprise.middleware* > Mobile: +94715979891 +94758009992 > > _______________________________________________ > Architecture mailing list > [email protected] > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > > -- Thanks & Regards, Prabath Twitter : @prabath LinkedIn : http://www.linkedin.com/in/prabathsiriwardena Mobile : +1 650 625 7950 http://facilelogin.com
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
