Task #7179


Add Slowdown/Cooldown in TOTP verification/serializer

Added by Ahmed Bilal about 4 years ago. Updated about 4 years ago.

Target version:
Start date:
Due date:
09/30/2019 (over 4 years late)
% Done:


Estimated time:
PM Check date:
Actions #1

Updated by Ahmed Bilal about 4 years ago

While, implementing cool down, we need to keep in mind the applications (ucloud-api, etc) that are verifying OTP credentials on behalf of users. They are not abusing the OTP verification themselves. So, to keep track of the real abuser we may need to have IP address of actual user or some other mechanism to track him/her to cool down the OTP verification only for him/her. If we use IP to track the originator of request (that need OTP verification), we need each application in middle to forward the ip to the ungleich-otp as well. What do you think about it?

Actions #2

Updated by Ahmed Bilal about 4 years ago

  • Status changed from New to Feedback
  • Assignee set to Nico Schottelius
Actions #3

Updated by Nico Schottelius about 4 years ago

  • Status changed from Feedback to Waiting

Successful logins never need to be cooled down, only if unsuccessful are there.

The services that use otp for verification, can actually successfully login, however the verification token might be wrong.

Reading this, the otp enabled service could be used as a proxy to test passwords, so this does not work.

Putting this on waiting/staying with me until I have a clear head.


Also available in: Atom PDF