Project

General

Profile

Task #7179

Add Slowdown/Cooldown in TOTP verification/serializer

Added by Ahmed Bilal almost 2 years ago. Updated almost 2 years ago.

Status:
Waiting
Priority:
Normal
Target version:
-
Start date:
09/28/2019
Due date:
09/30/2019
% Done:

0%

Estimated time:
PM Check date:

History

#1

Updated by Ahmed Bilal almost 2 years ago

While, implementing cool down, we need to keep in mind the applications (ucloud-api, etc) that are verifying OTP credentials on behalf of users. They are not abusing the OTP verification themselves. So, to keep track of the real abuser we may need to have IP address of actual user or some other mechanism to track him/her to cool down the OTP verification only for him/her. If we use IP to track the originator of request (that need OTP verification), we need each application in middle to forward the ip to the ungleich-otp as well. What do you think about it?

#2

Updated by Ahmed Bilal almost 2 years ago

  • Assignee set to Nico Schottelius
  • Status changed from New to Feedback
#3

Updated by Nico Schottelius almost 2 years ago

  • Status changed from Feedback to Waiting

Successful logins never need to be cooled down, only if unsuccessful are there.

The services that use otp for verification, can actually successfully login, however the verification token might be wrong.

Reading this, the otp enabled service could be used as a proxy to test passwords, so this does not work.

Putting this on waiting/staying with me until I have a clear head.

Also available in: Atom PDF