Hi Thanuja, On Mon, Jun 20, 2016 at 1:35 PM, Thanuja Jayasinghe <than...@wso2.com> wrote:
> Hi All, > > I'm working on $subject. > > We are planning to prevent this flow from brute force attacks by enabling > followings, > > 1. Enable captcha/reCaptcha after n failed attempts > 2. Lock the account after n failed attempts for a period of time > > > *How to track failed attempts?* > > We already have a "http://wso2.org/claims/identity/failedLoginAttempts"; claim > which used in the login flow to track failed login attempts. Since this is > a different flow, using the same claim to track the failed password reset > attempts will lead to unintended situations. (Ex: After n number of > failed attempts in the login flow, a user may try to reset the password. In > this case, the user will see captcha if the number of failed attempts > reached to the maximum. But since this is the first time which the user > tries to reset the password, captcha is redundant.) > > So we will introduce a new claim call " > http://wso2.org/claims/identity/failedPasswordResetAttempts"; to track > this. > > > *Implementation* > > *Enable captcha/reCaptcha after n failed attempts* - New Captcha > connector will introduce to handle this. The configuration of the connector > UI will allow modifying connector according to the requirements. > I assume this new connector will be much similar to " SSOLoginReCaptchaConnector" which is discussed in [1], rather than depending on the "failedLoginAttempts" claim, the new connector will depends on new "failedPasswordResetAttempts" claim. *Lock the account after n failed attempts for a period of time *- Account > lock will handle from the identity recovery rest API logic. Also > "PRE_SET_USER_CLAIMS" > and "POST_SET_USER_CLAIMS" events will be reused to send notifications in > case of account lock. > Are you referring locking the password recovery flow? What would be the impact of locking the "password recovery flow" to the "login flow"? Going through supported password recovery flows listed in [2], > Recover with Notification : Has less risk on brute force attacks > Recover with Secret Questions (one question at a time) : Has moderate risk on brute force attacks > Recover with Secret Questions (multiple questions at a time) : Has higher risk on brute force attacks Considering above, it's better to have this feature enabled by default if the password recovery is enabled. [1] "[Architecture][IS] Support for Google reCaptha" [2] "Identity Management Recovery API improvements" Thanks, Darshana > > Appreciate your input. > > Thanks, > Thanuja > > -- > *Thanuja Lakmal* > Senior Software Engineer > WSO2 Inc. http://wso2.com/ > *lean.enterprise.middleware* > Mobile: +94715979891 +94758009992 > > _______________________________________________ > Architecture mailing list > Architecture@wso2.org > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > > -- Regards, *Darshana Gunawardana*Associate Technical Lead WSO2 Inc.; http://wso2.com *E-mail: darsh...@wso2.com <darsh...@wso2.com>* *Mobile: +94718566859 <%2B94718566859>*Lean . Enterprise . Middleware
_______________________________________________ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
