Hi Thanuja,
On Mon, Jun 20, 2016 at 7:55 PM, Thanuja Jayasinghe <than...@wso2.com> wrote: > Hi Darshana, > > On Mon, Jun 20, 2016 at 6:54 PM, Darshana Gunawardana <darsh...@wso2.com> > wrote: > >> Hi Thanuja, >> >> On Mon, Jun 20, 2016 at 1:35 PM, Thanuja Jayasinghe <than...@wso2.com> >> wrote: >> >>> Hi All, >>> >>> I'm working on $subject. >>> >>> We are planning to prevent this flow from brute force attacks by >>> enabling followings, >>> >>> 1. Enable captcha/reCaptcha after n failed attempts >>> 2. Lock the account after n failed attempts for a period of time >>> >>> >>> *How to track failed attempts?* >>> >>> We already have a "http://wso2.org/claims/identity/failedLoginAttempts" >>> claim >>> which used in the login flow to track failed login attempts. Since this is >>> a different flow, using the same claim to track the failed password >>> reset attempts will lead to unintended situations. (Ex: After n number >>> of failed attempts in the login flow, a user may try to reset the password. >>> In this case, the user will see captcha if the number of failed attempts >>> reached to the maximum. But since this is the first time which the user >>> tries to reset the password, captcha is redundant.) >>> >>> So we will introduce a new claim call " >>> http://wso2.org/claims/identity/failedPasswordResetAttempts" to track >>> this. >>> >>> >>> *Implementation* >>> >>> *Enable captcha/reCaptcha after n failed attempts* - New Captcha >>> connector will introduce to handle this. The configuration of the connector >>> UI will allow modifying connector according to the requirements. >>> >> >> I assume this new connector will be much similar to " >> SSOLoginReCaptchaConnector" which is discussed in [1], rather than >> depending on the "failedLoginAttempts" claim, the new connector will >> depends on new "failedPasswordResetAttempts" claim. >> > > Yes. They will share a similar design. > > >> >> *Lock the account after n failed attempts for a period of time *- >>> Account lock will handle from the identity recovery rest API logic. Also >>> "PRE_SET_USER_CLAIMS" >>> and "POST_SET_USER_CLAIMS" events will be reused to send notifications >>> in case of account lock. >>> >> >> Are you referring locking the password recovery flow? What would be the >> impact of locking the "password recovery flow" to the "login flow"? >> > > Account lock from any flow (either from "password recovery flow" to the > "login flow") will consider as an account locked situation for the user. > Suppose both flows ('login flow' discussed at [3] and the 'password recovery flow'), will be sharing the same configurations with regard to locking the account of the user and behaving similarly. > > > >> >> Going through supported password recovery flows listed in [2], >> > Recover with Notification : Has less risk on brute force attacks >> > > Recover with Secret Questions (one question at a time) : Has moderate >> risk on brute force attacks >> > Recover with Secret Questions (multiple questions at a time) : Has >> higher risk on brute force attacks >> > >> Considering above, it's better to have this feature enabled by default if >> the password recovery is enabled. >> > > +1 . We planning to apply these security enhancements only to 'Recover > with Secret Questions' flows due the less risk in 'Recover with > Notification' flow. > > >> [1] "[Architecture][IS] Support for Google reCaptha" >> [2] "Identity Management Recovery API improvements" >> >> Thanks, >> Darshana >> >>> >>> Appreciate your input. >>> >>> Thanks, >>> Thanuja >>> >>> -- >>> *Thanuja Lakmal* >>> Senior Software Engineer >>> WSO2 Inc. http://wso2.com/ >>> *lean.enterprise.middleware* >>> Mobile: +94715979891 +94758009992 >>> >>> _______________________________________________ >>> Architecture mailing list >>> Architecture@wso2.org >>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>> >>> >> >> >> -- >> Regards, >> >> >> *Darshana Gunawardana*Associate Technical Lead >> WSO2 Inc.; http://wso2.com >> >> *E-mail: darsh...@wso2.com <darsh...@wso2.com>* >> *Mobile: +94718566859 <%2B94718566859>*Lean . Enterprise . Middleware >> >> _______________________________________________ >> Architecture mailing list >> Architecture@wso2.org >> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >> >> > > > -- > *Thanuja Lakmal* > Senior Software Engineer > WSO2 Inc. http://wso2.com/ > *lean.enterprise.middleware* > Mobile: +94715979891 +94758009992 > > _______________________________________________ > Architecture mailing list > Architecture@wso2.org > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > > [3] '[Architecture] [Dev][IS] Improvements in handling incorrect login attempts' Thanks, Malithi. -- *Malithi Edirisinghe* Associate Technical Lead WSO2 Inc. Mobile : +94 (0) 718176807 malit...@wso2.com
_______________________________________________ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture