Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Give IPs more trust if they already logged-in previously to the same account #492

Open
LukasReschke opened this issue Jul 21, 2016 · 4 comments

Comments

@LukasReschke
Copy link
Member

@LukasReschke LukasReschke commented Jul 21, 2016

If an user has already logged-in previously to an account it may be sensible to give them a little bit more trust. We should also clear the throttling limit for that account then in case they want to relogin later or so.

Needs some more discussion and thoughts…

@oparoz
Copy link
Member

@oparoz oparoz commented Jul 21, 2016

Hmmm. I'm not convinced as some IPs are recycled while others are spoofed. There is also the problem of a device which becomes infected with malware.

@tflidd
Copy link
Contributor

@tflidd tflidd commented Aug 2, 2016

I would do it the other way round, if it is an unusual location you must use second factor authentication.

@Spacefish
Copy link
Contributor

@Spacefish Spacefish commented Aug 2, 2016

Maybe use maxmind geodb or just the class A network the user logged in
with. Once a new country or class A is spotted (which the user has never
logged in from before) lower the trust.

@nextcloud-bot nextcloud-bot added the stale label Jun 20, 2018
@nextcloud-stale nextcloud-stale bot removed the stale label Jun 12, 2019
@lynn-stephenson
Copy link
Contributor

@lynn-stephenson lynn-stephenson commented Sep 24, 2020

This is can be a convenient but dangerous "security" feature. It can be avoided by keeping a simple design, such as not trying to decide whether IPs' trustworthiness for a particular account.

If I sign up & in via the Tor network (or other publicly accessible proxies), it is entirely possible for an adversary (especially system administrators running the NextCloud instance) to determine if I do or not.

Locking down accounts based on IP, can be seriously inconvenient, but not significantly more secure. But if you start by not enabling 2FA when an IP is trustworthy you're crossing dangerous territory. If I enable 2FA on my account, I expect to have to use that 2FA when I sign in. Not have the server automatically decide for me if my account needs extra protection or not despite enabling 2FA.

This applies for rate limiting authentication as well.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
7 participants