Hi Prabath, For now these features are by Tenant. we will concern about these other aspect as well, discuss with the team and get back the details to this thread.
thanks. *Harsha Thirimanna* Associate Tech Lead; WSO2, Inc.; http://wso2.com * <http://www.apache.org/>* *email: **[email protected]* <[email protected]>* cell: +94 71 5186770 * *twitter: **http://twitter.com/ <http://twitter.com/afkham_azeez>* *harshathirimannlinked-in: **http: <http://lk.linkedin.com/in/afkhamazeez>**//www.linkedin.com/pub/harsha-thirimanna/10/ab8/122 <http://www.linkedin.com/pub/harsha-thirimanna/10/ab8/122>* *Lean . Enterprise . Middleware* On Tue, Jun 21, 2016 at 1:14 PM, Prabath Siriwardana <[email protected]> wrote: > When we say 'login' here, do we only think about the username/password > based login? How about OTP and other local authentication mechanisms? > > Thanks & regards, > -Prabath > > > On Mon, Jun 20, 2016 at 11:40 AM, Prabath Siriwardana <[email protected]> > wrote: > >> I guess we discussed some of the options in a different thread too... >> >> Here are few things we should do to mitigate brute force attacks... >> >> 1. Lock the account after n number of failed login attempts - only the >> identity admin (or helpdesk admin) can unlock the account. >> 2. Lock the account after n number of failed login attempts - and >> automatically unlock the account after t minutes. >> 3. Lock the account after n number of failed login attempts - and unlock >> the account only when the account own clicks on a link sent to his >> registered email address. >> 4. Do not lock the account - after n number of failed login attempts >> display a captcha >> 5. Do not lock the account - incrementally increase the response time of >> the failed login responses >> >> In all these scenarios - we need to track all the data associated with >> the login request - and build an IP blacklist. >> >> Can we represent all the above scenarios as policies? Ideally, we should >> be able to engage these policies to users by the tenant, role or group, >> user store or globally... >> >> Thanks & regards, >> -Prabath >> >> >> On Thu, Jun 16, 2016 at 12:23 PM, Harsha Thirimanna <[email protected]> >> wrote: >> >>> Hi All, >>> >>> Currently We are working on $subject. >>> >>> When user tries to login using invalid credential until reach the >>> maximum attempts count, we lock the account for some specific time. After >>> the time, we allow to user to try again and it will be locked again after >>> user tries to login using invalid credential for the maximum attempts. Now >>> we are going to increase the lock time than the previous time. This ratio >>> would be a configurable value. >>> >>> As an another improvement when a registered user tries to login to the >>> system without email confirmation, inform him verification is pending and >>> give the ability to resend the confirmation code to the registered email >>> address. >>> >>> Your comments and suggestions are highly appreciated. >>> >>> thanks >>> >>> *Harsha Thirimanna* >>> Associate Tech Lead; WSO2, Inc.; http://wso2.com >>> * <http://www.apache.org/>* >>> *email: **[email protected]* <[email protected]>* cell: +94 71 5186770 * >>> *twitter: **http://twitter.com/ <http://twitter.com/afkham_azeez>* >>> *harshathirimannlinked-in: **http: >>> <http://lk.linkedin.com/in/afkhamazeez>**//www.linkedin.com/pub/harsha-thirimanna/10/ab8/122 >>> <http://www.linkedin.com/pub/harsha-thirimanna/10/ab8/122>* >>> >>> *Lean . Enterprise . Middleware* >>> >>> >> >> >> -- >> Thanks & Regards, >> Prabath >> >> Twitter : @prabath >> LinkedIn : http://www.linkedin.com/in/prabathsiriwardena >> >> Mobile : +1 650 625 7950 >> >> http://facilelogin.com >> > > > > -- > Thanks & Regards, > Prabath > > Twitter : @prabath > LinkedIn : http://www.linkedin.com/in/prabathsiriwardena > > Mobile : +1 650 625 7950 > > http://facilelogin.com >
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
