Skip to content

Add bruteforce protection to two factor challenge endpoint #2626

Description

@LukasReschke

We should add the bruteforce protection also the two factor challenge endpoint, there are some challenges with that mainly the fact that we can't just throttle the controller because then a valid token may be expired again.

My proposal would be to basically logout users after 3 invalid Two Factor challenges and increase the bruteforce counter in that case. The user has then to reenter their password and this case will be slowed down.

cc @ChristophWurst @nextcloud/security Thoughts?

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions