Risk: max 10 guess of six-digit code to mitigate automated attacks #173

Open
ThomasHabets opened this Issue Oct 10, 2014 · 0 comments

Comments

Projects
None yet
2 participants
Contributor

ThomasHabets commented Oct 10, 2014

Original issue 174 created by sweerek on 2012-05-01T20:57:36.000Z:

What steps will reproduce the problem?

  1. Use two-step authenication
  2. Enter name and password in Google login page
  3. Guess six-digits

What is the expected output? What do you see instead?
If I'm a bad guy and can enter 17 guesses a second, I'll get in half the time before the code expires (in 5 minutes).

Requested two-step Improvement: Maximum of ten of six-digit entry attempts

Risk: It appears that with the correct login and password (say from a keylogger), an unknown user has an unlimited number of attempts to guess the six-digits before it expires (2-5 minutes?).

Hypothetical: An attacker would have 50/50 odds of guessing the number in 5 minutes at 17 guesses/second.

I recommend that two-step verification only provide 10 guesses per six-digit code. With ten guess, the odds of success are 1:1000. After 10 guesses the six-digit code expires.

To prevent automation from just repeating this attack a time penalty is needed. (1000 tries of the 10-guess max rule would get the threat inside half the time, if I recall my statistics correctly.)

A time penalty, say 2-5 minutes, between how often new six-digits are sent (and maybe accepted) would greatly slow-down such automated attacks. Reporting a huge number of attempts to the user would be advisable, with the recommendation to change her password when on a trustworthy device.

While this could be a CPanel option for Google Apps admins, the I think it would be more applicable to all Google 2-step users.

No change on Google Authenicator -- it would keep creating codes... they just won't be accepted by Google.

google was assigned by ThomasHabets Oct 10, 2014

google was unassigned by ThomasHabets Oct 10, 2014

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment