Invalidate authentication session on repeated Recovery Code failures #26180
Labels
area/authentication
Indicates an issue on Authentication area
kind/bug
Categorizes a PR related to a bug
release/24.0.0
Milestone
Before reporting an issue
Area
authentication
Describe the bug
At present, when a user is locked out by brute force protection the authentication session isn't invalidated. As a result when a temporary lockout expires an attacker can continue trying to guess the Recovery Code without reauthenticating. We should terminate the authentication session when the user is locked out by brute force.
Version
999.0.0-SNAPSHOT
Expected behavior
When the user is locked out by brute force protection the auth session should end and the browser should be redirected to the login page.
Actual behavior
When the user is locked out by brute force protection the auth session remains valid and the user can continue guessing recovery codes.
How to Reproduce?
Configure recovery codes and enable brute force protection. Guess the recovery code enough times to get a temporary lockout of the user. Wait for the lockout to timeout and continue guessing recovery codes without reauthenticating.
Anything else?
No response
The text was updated successfully, but these errors were encountered: