Page MenuHomePhabricator

Alert ops/security on many 2FA failures
Open, MediumPublic


Two-factor authentication codes are short and shown as the user types them in so failures should be rare. A dedicated attacker can brute-force them given enough time (the current throttling is 10 per minute, and there are 10^6 possibilities, 3 of which are acceptable, so for a single account there is about 1% chance of success for every 5 hours spent attacking; practically guaranteed success in a month or so). We should have aggressive security alerts (icinga etc) for frequent 2FA failures.

That would require either dedicated logging or improving AuthManagerLoginAuthenticateAudit (which currently only learns the outcome of the login attempt, not the step at which it failed - cf T137194: AuthManager cannot audit passwords) or adding a similar audit hook to OATHAuth.

See also T158379: Warn the user after a certain number of failed 2FA attempts about alerting the account owner.

Event Timeline

Tgr created this task.Nov 16 2016, 10:39 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 16 2016, 10:39 PM
Tgr added a comment.Nov 17 2016, 5:15 AM

Also, we don't currently log abandoned logins (ie. a multistep form where a later step is never submitted and the session times out), but a successful password check followed by a 2FA screen that never gets submitted should ring alarm bells.

Reedy added a subscriber: Reedy.Nov 18 2016, 12:53 AM

Is this alerts to a user of their failures, or more generally for WMF deployment? Or both?

Tgr added a comment.Nov 18 2016, 3:51 AM

I was thinking of icinga-type alerts. But adding 2FA alerts to LoginNotify (T140167) would be nice too.

kaldari updated the task description. (Show Details)Apr 24 2017, 9:53 PM
Tgr renamed this task from Alert on many 2FA failures to Alert ops/security on many 2FA failures.Nov 18 2017, 9:47 PM
Tgr updated the task description. (Show Details)
Tgr updated the task description. (Show Details)
Tgr updated the task description. (Show Details)Nov 18 2017, 9:49 PM

A brute force attack on a 2FA enabled account is kinda impossible since the code changes every 30 second and you have 10.077.696 possible combinations i personally think the web server is able to handle that many request in 30 seconds

Tgr added a comment.Mar 12 2018, 12:36 AM

This is a common misconception, periodically changing the code does actually very little against bruteforce attacks. (It is there to protect against replay attacks.) The attacker would just keep trying numbers at random; the expected amount of attempts needed is approximately same.

RP88 added a subscriber: RP88.May 9 2018, 11:02 PM
chasemp triaged this task as Medium priority.Dec 9 2019, 5:20 PM
chasemp added a project: Security-Team.
chasemp moved this task from Incoming to Waiting on the Security-Team board.Dec 9 2019, 5:32 PM