Hi, I have developed a new adaptive authentication script considering the number of failed login attempts of a user. Its basic scenario can be explained as follows.
Let's consider a scenario where you want to prompt an additional level of authentication for a user who has exceeded a specific number of continuous failed login attempts. Also, you want to consider the all failed login attempts of a user until a successful login attempt even that continuous failed attempts are made in several days. For that purpose, 'Failed Login Attempts' claim is used to keep track of the number of failed login attempts of a user. Since this number reset to 0 when a successful login happens, a new claim needs to be introduced to store the number of failed login attempts just before a successful login attempt. Here is the PR for that new claim[1 <https://github.com/wso2/carbon-identity-framework/pull/1975>]. In order to update the number of failed login attempts, account locking under login resident IDP's login policies needs to be enabled. Therefore, 'Failed Lockout Count claim' also considered when counting the number of failed login attempts just before a success. The changes need to be done in AccountLockHandler can be found here[2 <https://github.com/wso2-extensions/identity-event-handler-account-lock/pull/49> ]. Follow instructions in [3 <https://docs.google.com/document/d/1fHhLDnXtAJYcxx2rZinTF1-SCmZnhh98kFhUicibpFQ/edit?usp=sharing>] to test this template with WSO2is-5.7.0. The implemented script will be added as a default template under script based adaptive authentication since it is a common use case. -Script- // This variable is used to define the number of invalid attempts allowed before prompting the second factor var invalidAttemptsToStepup = 3; var failedLoginAttemptsBeforeSuccessClaim= ' http://wso2.org/claims/identity/failedLoginAttemptsBeforeSuccess'; function onLoginRequest(context) { doLogin(context); } function doLogin(context) { executeStep(1, { onSuccess : function(context){ var user = context.steps[1].subject; if (isExceedInvalidAttempts(user)) { executeStep(2); } }, onFail : function(context) { // Retry the login.. doLogin(context); } }); } function isExceedInvalidAttempts(user) { if (user.localClaims[failedLoginAttemptsBeforeSuccessClaim] >= invalidAttemptsToStepup) { return true; } else { return false; } } [1]https://github.com/wso2/carbon-identity-framework/pull/1975 [2] https://github.com/wso2-extensions/identity-event-handler-account-lock/pull/49 [3] https://docs.google.com/document/d/1fHhLDnXtAJYcxx2rZinTF1-SCmZnhh98kFhUicibpFQ/edit?usp=sharing *Anuradha Karunarathna* Intern-Software Engineering | WSO2,inc.
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
