When we say 'login' here, do we only think about the username/password based login? How about OTP and other local authentication mechanisms?
Thanks & regards, -Prabath On Mon, Jun 20, 2016 at 11:40 AM, Prabath Siriwardana <[email protected]> wrote: > I guess we discussed some of the options in a different thread too... > > Here are few things we should do to mitigate brute force attacks... > > 1. Lock the account after n number of failed login attempts - only the > identity admin (or helpdesk admin) can unlock the account. > 2. Lock the account after n number of failed login attempts - and > automatically unlock the account after t minutes. > 3. Lock the account after n number of failed login attempts - and unlock > the account only when the account own clicks on a link sent to his > registered email address. > 4. Do not lock the account - after n number of failed login attempts > display a captcha > 5. Do not lock the account - incrementally increase the response time of > the failed login responses > > In all these scenarios - we need to track all the data associated with the > login request - and build an IP blacklist. > > Can we represent all the above scenarios as policies? Ideally, we should > be able to engage these policies to users by the tenant, role or group, > user store or globally... > > Thanks & regards, > -Prabath > > > On Thu, Jun 16, 2016 at 12:23 PM, Harsha Thirimanna <[email protected]> > wrote: > >> Hi All, >> >> Currently We are working on $subject. >> >> When user tries to login using invalid credential until reach the maximum >> attempts count, we lock the account for some specific time. After the time, >> we allow to user to try again and it will be locked again after user tries >> to login using invalid credential for the maximum attempts. Now we are >> going to increase the lock time than the previous time. This ratio would be >> a configurable value. >> >> As an another improvement when a registered user tries to login to the >> system without email confirmation, inform him verification is pending and >> give the ability to resend the confirmation code to the registered email >> address. >> >> Your comments and suggestions are highly appreciated. >> >> thanks >> >> *Harsha Thirimanna* >> Associate Tech Lead; WSO2, Inc.; http://wso2.com >> * <http://www.apache.org/>* >> *email: **[email protected]* <[email protected]>* cell: +94 71 5186770 * >> *twitter: **http://twitter.com/ <http://twitter.com/afkham_azeez>* >> *harshathirimannlinked-in: **http: >> <http://lk.linkedin.com/in/afkhamazeez>**//www.linkedin.com/pub/harsha-thirimanna/10/ab8/122 >> <http://www.linkedin.com/pub/harsha-thirimanna/10/ab8/122>* >> >> *Lean . Enterprise . Middleware* >> >> > > > -- > Thanks & Regards, > Prabath > > Twitter : @prabath > LinkedIn : http://www.linkedin.com/in/prabathsiriwardena > > Mobile : +1 650 625 7950 > > http://facilelogin.com > -- Thanks & Regards, Prabath Twitter : @prabath LinkedIn : http://www.linkedin.com/in/prabathsiriwardena Mobile : +1 650 625 7950 http://facilelogin.com
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
