Hi Farasath, On Tue, Jun 21, 2016 at 2:57 AM, Farasath Ahamed <[email protected]> wrote:
> Hi Thanuja, > > > On Mon, Jun 20, 2016 at 1:35 PM, Thanuja Jayasinghe <[email protected]> > wrote: > >> Hi All, >> >> I'm working on $subject. >> >> We are planning to prevent this flow from brute force attacks by >> enabling followings, >> >> 1. Enable captcha/reCaptcha after n failed attempts >> 2. Lock the account after n failed attempts for a period of time >> >> How are we going to keep track of this "period of time" after an account > is locked? > We calculate unlock time as current timestamp + locked time * 60 * 1000. After that time, a user can try to reset the password, as in a normal flow. > > >> *How to track failed attempts?* >> >> We already have a "http://wso2.org/claims/identity/failedLoginAttempts"; claim >> which used in the login flow to track failed login attempts. Since this is >> a different flow, using the same claim to track the failed password >> reset attempts will lead to unintended situations. (Ex: After n number >> of failed attempts in the login flow, a user may try to reset the password. >> In this case, the user will see captcha if the number of failed attempts >> reached to the maximum. But since this is the first time which the user >> tries to reset the password, captcha is redundant.) >> >> So we will introduce a new claim call " >> http://wso2.org/claims/identity/failedPasswordResetAttempts"; to track >> this. >> >> >> *Implementation* >> >> *Enable captcha/reCaptcha after n failed attempts* - New Captcha >> connector will introduce to handle this. The configuration of the connector >> UI will allow modifying connector according to the requirements. >> >> *Lock the account after n failed attempts for a period of time *- >> Account lock will handle from the identity recovery rest API logic. Also >> "PRE_SET_USER_CLAIMS" >> and "POST_SET_USER_CLAIMS" events will be reused to send notifications >> in case of account lock. >> >> Appreciate your input. >> >> Thanks, >> Thanuja >> >> -- >> *Thanuja Lakmal* >> Senior Software Engineer >> WSO2 Inc. http://wso2.com/ >> *lean.enterprise.middleware* >> Mobile: +94715979891 +94758009992 >> >> _______________________________________________ >> Architecture mailing list >> [email protected] >> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >> >> > Thanks, > Farasath. > -- *Thanuja Lakmal* Senior Software Engineer WSO2 Inc. http://wso2.com/ *lean.enterprise.middleware* Mobile: +94715979891 +94758009992
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
