Add Slowdown/Cooldown in TOTP verification/serializer
Updated by Ahmed Bilal about 4 years ago
While, implementing cool down, we need to keep in mind the applications (ucloud-api, etc) that are verifying OTP credentials on behalf of users. They are not abusing the OTP verification themselves. So, to keep track of the real abuser we may need to have IP address of actual user or some other mechanism to track him/her to cool down the OTP verification only for him/her. If we use IP to track the originator of request (that need OTP verification), we need each application in middle to forward the ip to the ungleich-otp as well. What do you think about it?
Updated by Nico Schottelius about 4 years ago
- Status changed from Feedback to Waiting
Successful logins never need to be cooled down, only if unsuccessful are there.
The services that use otp for verification, can actually successfully login, however the verification token might be wrong.
Reading this, the otp enabled service could be used as a proxy to test passwords, so this does not work.
Putting this on waiting/staying with me until I have a clear head.