Hi Thanuja, On Mon, Jun 20, 2016 at 1:35 PM, Thanuja Jayasinghe <than...@wso2.com> wrote:
> Hi All, > > I'm working on $subject. > > We are planning to prevent this flow from brute force attacks by enabling > followings, > > 1. Enable captcha/reCaptcha after n failed attempts > 2. Lock the account after n failed attempts for a period of time > > > *How to track failed attempts?* > > We already have a "http://wso2.org/claims/identity/failedLoginAttempts" claim > which used in the login flow to track failed login attempts. Since this is > a different flow, using the same claim to track the failed password reset > attempts will lead to unintended situations. (Ex: After n number of > failed attempts in the login flow, a user may try to reset the password. In > this case, the user will see captcha if the number of failed attempts > reached to the maximum. But since this is the first time which the user > tries to reset the password, captcha is redundant.) > > So we will introduce a new claim call " > http://wso2.org/claims/identity/failedPasswordResetAttempts" to track > this. > +1 for having a seperate claiam for tracking password reset faliled attempts since it is different from login Attempts. > > > *Implementation* > > *Enable captcha/reCaptcha after n failed attempts* - New Captcha > connector will introduce to handle this. The configuration of the connector > UI will allow modifying connector according to the requirements. > > *Lock the account after n failed attempts for a period of time *- Account > lock will handle from the identity recovery rest API logic. Also > "PRE_SET_USER_CLAIMS" > and "POST_SET_USER_CLAIMS" events will be reused to send notifications in > case of account lock. > Where can we define the lock time?. Is it a new configuration or same configuration used when account lock with invalid credentials? Thanks Isura. > > Appreciate your input. > > Thanks, > Thanuja > > -- > *Thanuja Lakmal* > Senior Software Engineer > WSO2 Inc. http://wso2.com/ > *lean.enterprise.middleware* > Mobile: +94715979891 +94758009992 > > _______________________________________________ > Architecture mailing list > Architecture@wso2.org > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > > -- Isura Dilhara Karunaratne Senior Software Engineer Mob +94 772 254 810
_______________________________________________ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture