Add notification email on invalid second authenticator #28822
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
While reviewing our second factor authentication security, I realized that while we had appropriate rate-limiting and logging of authentication failures, we actually never notified the user of those failures, meaning they would be unlikely to notice such attempts.
This PR addresses that by sending a mail as soon as a 2FA attempt fails. Mails are limited to one per hour to avoid spamming in case of an attack or multiple failures.
To further reduce spam, this should not be triggered immediately, but after a few minutes without a successful log-in, as failing to enter a TOTP token correctly on time is not that unusual. However, that would be more work, and I think this change is a worthwhile security improvement.