Page MenuHomePhabricator

Warn the user after a certain number of failed 2FA attempts
Open, Needs TriagePublic

Description

TOTP uses six-digit tokens, and accepts three of them (current, previous and next time slot) so it is not very bruteforce-resistent. Attempts are throttled but not terribly so - with the default settings (10 tries per minute) an attacker working for 5 hours has an 1% chance at success, which is way higher than desirable.

There should be some way (e.g. by OATH providing a hook and LoginNotify using it) to detect repeated failed attempts and notify the user that their password was probably compromised. It is easy to filter out honest mistakes (just ignore attempts which only differ in one or two digits, or are valid codes that fall within +-10 time slots) so it's possible to set some fairly aggressive limit.

See also T150903: Alert sre/security on many 2FA failures about alerting ops/security.

Event Timeline

jmatazzoni subscribed.

Taking Collab and Notifications off this. It's really a Login ticket. (There might be a separate task for a notification).