Page MenuHomePhabricator
Create Task
Maniphest T158379

Warn the user after a certain number of failed 2FA attempts
Open, Needs TriagePublic
Actions

Description

TOTP uses six-digit tokens, and accepts three of them (current, previous and next time slot) so it is not very bruteforce-resistent. Attempts are throttled but not terribly so - with the default settings (10 tries per minute) an attacker working for 5 hours has an 1% chance at success, which is way higher than desirable.

There should be some way (e.g. by OATH providing a hook and LoginNotify using it) to detect repeated failed attempts and notify the user that their password was probably compromised. It is easy to filter out honest mistakes (just ignore attempts which only differ in one or two digits, or are valid codes that fall within +-10 time slots) so it's possible to set some fairly aggressive limit.

See also T150903: Alert sre/security on many 2FA failures about alerting ops/security.

Related Objects

Event Timeline

Tgr created this task.Feb 17 2017, 1:14 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptFeb 17 2017, 1:14 AM
Tgr mentioned this in T158153: Consider changing recovery codes to use six digits.Feb 17 2017, 1:15 AM
Reedy added a project: Notifications.Feb 17 2017, 1:19 AM
Restricted Application added a project: Collaboration-Team-Triage. · View Herald TranscriptFeb 17 2017, 1:19 AM
jmatazzoni removed projects: Notifications, Collaboration-Team-Triage.Feb 21 2017, 6:56 PM
jmatazzoni subscribed.

Taking Collab and Notifications off this. It's really a Login ticket. (There might be a separate task for a notification).

Xaosflux subscribed.Apr 26 2017, 8:21 PM
Framawiki subscribed.Aug 28 2017, 8:08 PM
Tgr mentioned this in T150903: Alert sre/security on many 2FA failures.Nov 18 2017, 9:47 PM
Tgr updated the task description. (Show Details)
RP88 subscribed.May 9 2018, 11:02 PM
Phabricator_maintenance added a project: Community-Tech.Jul 20 2018, 5:13 PM
Niharika removed a project: Community-Tech.Jul 20 2018, 11:20 PM
Restricted Application added a project: Community-Tech. · View Herald TranscriptJul 20 2018, 11:20 PM
Niharika removed a project: Community-Tech.Jul 20 2018, 11:20 PM
Reedy moved this task from Backlog to User Experience on the MediaWiki-extensions-OATHAuth board.Jul 5 2019, 10:00 PM
Logicer subscribed.Jul 5 2022, 5:52 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL