Risk: max 10 guess of six-digit code to mitigate automated attacks #173
Original issue 174 created by sweerek on 2012-05-01T20:57:36.000Z:
What steps will reproduce the problem?
What is the expected output? What do you see instead?
Requested two-step Improvement: Maximum of ten of six-digit entry attempts
Risk: It appears that with the correct login and password (say from a keylogger), an unknown user has an unlimited number of attempts to guess the six-digits before it expires (2-5 minutes?).
Hypothetical: An attacker would have 50/50 odds of guessing the number in 5 minutes at 17 guesses/second.
I recommend that two-step verification only provide 10 guesses per six-digit code. With ten guess, the odds of success are 1:1000. After 10 guesses the six-digit code expires.
To prevent automation from just repeating this attack a time penalty is needed. (1000 tries of the 10-guess max rule would get the threat inside half the time, if I recall my statistics correctly.)
A time penalty, say 2-5 minutes, between how often new six-digits are sent (and maybe accepted) would greatly slow-down such automated attacks. Reporting a huge number of attempts to the user would be advisable, with the recommendation to change her password when on a trustworthy device.
While this could be a CPanel option for Google Apps admins, the I think it would be more applicable to all Google 2-step users.
No change on Google Authenicator -- it would keep creating codes... they just won't be accepted by Google.
The text was updated successfully, but these errors were encountered: