-
-
Notifications
You must be signed in to change notification settings - Fork 4.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add bruteforce protection to two factor challenge endpoint #2626
Comments
We've got quite some feedback in nextcloud/twofactor_totp#5 that could be taken into consideration for this 😉 |
Another thing that should be considered in my opinion is the sequence of challenges. I think it would be better to first ask for the OTP and afterwards ask for the user's password. Additionally, Nextcloud could invalidate the used OTP after one usage, so that an user would have to wait up to 30 secs to reattempt entering his password (or an attacker would have to not only wait 30 seconds to reattempt entering the user's password but also to guess a whole new 6-digit-TOTP). |
Fixes #2626 Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
I can see a rate limit after four attempts. I'm crippled in my hands and it is damn hard to type. So far the 2FA on Nextcloud works well but I'd hate to see you go the route of my bank where I have 15 seconds left and 45 seconds of typing to do as they do not allow the code slack on timing which sucks. I cannot type a code in 30 seconds depending on what my hands are doing so having the code I'm typing time out is rough. I can enter it within 60 seconds barely. I can at times make a mistake due to vision problems as well. A fairly good rate limit is to throw up an error and say I need to wait 30 seconds then go back to the login which I have a password manager for and then go back to entering the OTP. However eventually I won't be able to type anything. And no more than six characters or you've pretty much denied me access. I spoke this and then have to use a grammar checker. Speaking numbers cause some issue or other with Nextcloud and several other sites as I use standalone software for that and it does not work well with numbers. |
Hi @doggodanubus can you open a new issue about that. Commenting on a 5 year old issue is not very helpful at this point. |
We should add the bruteforce protection also the two factor challenge endpoint, there are some challenges with that mainly the fact that we can't just throttle the controller because then a valid token may be expired again.
My proposal would be to basically logout users after 3 invalid Two Factor challenges and increase the bruteforce counter in that case. The user has then to reenter their password and this case will be slowed down.
cc @ChristophWurst @nextcloud/security Thoughts?
The text was updated successfully, but these errors were encountered: