Hi Darshana, On Mon, Jun 20, 2016 at 6:54 PM, Darshana Gunawardana <darsh...@wso2.com> wrote:
> Hi Thanuja, > > On Mon, Jun 20, 2016 at 1:35 PM, Thanuja Jayasinghe <than...@wso2.com> > wrote: > >> Hi All, >> >> I'm working on $subject. >> >> We are planning to prevent this flow from brute force attacks by >> enabling followings, >> >> 1. Enable captcha/reCaptcha after n failed attempts >> 2. Lock the account after n failed attempts for a period of time >> >> >> *How to track failed attempts?* >> >> We already have a "http://wso2.org/claims/identity/failedLoginAttempts" claim >> which used in the login flow to track failed login attempts. Since this is >> a different flow, using the same claim to track the failed password >> reset attempts will lead to unintended situations. (Ex: After n number >> of failed attempts in the login flow, a user may try to reset the password. >> In this case, the user will see captcha if the number of failed attempts >> reached to the maximum. But since this is the first time which the user >> tries to reset the password, captcha is redundant.) >> >> So we will introduce a new claim call " >> http://wso2.org/claims/identity/failedPasswordResetAttempts" to track >> this. >> >> >> *Implementation* >> >> *Enable captcha/reCaptcha after n failed attempts* - New Captcha >> connector will introduce to handle this. The configuration of the connector >> UI will allow modifying connector according to the requirements. >> > > I assume this new connector will be much similar to " > SSOLoginReCaptchaConnector" which is discussed in [1], rather than > depending on the "failedLoginAttempts" claim, the new connector will > depends on new "failedPasswordResetAttempts" claim. > Yes. They will share a similar design. > > *Lock the account after n failed attempts for a period of time *- Account >> lock will handle from the identity recovery rest API logic. Also >> "PRE_SET_USER_CLAIMS" >> and "POST_SET_USER_CLAIMS" events will be reused to send notifications >> in case of account lock. >> > > Are you referring locking the password recovery flow? What would be the > impact of locking the "password recovery flow" to the "login flow"? > Account lock from any flow (either from "password recovery flow" to the "login flow") will consider as an account locked situation for the user. > > Going through supported password recovery flows listed in [2], > > Recover with Notification : Has less risk on brute force attacks > > Recover with Secret Questions (one question at a time) : Has moderate > risk on brute force attacks > > Recover with Secret Questions (multiple questions at a time) : Has > higher risk on brute force attacks > > Considering above, it's better to have this feature enabled by default if > the password recovery is enabled. > +1 . We planning to apply these security enhancements only to 'Recover with Secret Questions' flows due the less risk in 'Recover with Notification' flow. > [1] "[Architecture][IS] Support for Google reCaptha" > [2] "Identity Management Recovery API improvements" > > Thanks, > Darshana > >> >> Appreciate your input. >> >> Thanks, >> Thanuja >> >> -- >> *Thanuja Lakmal* >> Senior Software Engineer >> WSO2 Inc. http://wso2.com/ >> *lean.enterprise.middleware* >> Mobile: +94715979891 +94758009992 >> >> _______________________________________________ >> Architecture mailing list >> Architecture@wso2.org >> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >> >> > > > -- > Regards, > > > *Darshana Gunawardana*Associate Technical Lead > WSO2 Inc.; http://wso2.com > > *E-mail: darsh...@wso2.com <darsh...@wso2.com>* > *Mobile: +94718566859 <%2B94718566859>*Lean . Enterprise . Middleware > > _______________________________________________ > Architecture mailing list > Architecture@wso2.org > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > > -- *Thanuja Lakmal* Senior Software Engineer WSO2 Inc. http://wso2.com/ *lean.enterprise.middleware* Mobile: +94715979891 +94758009992
_______________________________________________ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture