You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It appears that if 'Clear failcounter after minutes' is set to a non-zero value, after that timeout expires, any token can be brute forced.
I believe one of two options could be pursued to mitigate this.
Option #1 (more security, less user-friendly):
After the failcounter is exceeded, any additional failed attempt will 'reset' the fail exceeded counter and restart the timeout.
Option #2 (more user-friendly):
After the failcounter is exceeded, truly reset the failcounter to 0 so that the user would have more attempts before they are locked out again.
I believe #1 would be easier to implement programatically.
It appears that if 'Clear failcounter after minutes' is set to a non-zero value, after that timeout expires, any token can be brute forced.
I believe one of two options could be pursued to mitigate this.
Option #1 (more security, less user-friendly):
After the failcounter is exceeded, any additional failed attempt will 'reset' the fail exceeded counter and restart the timeout.
Option #2 (more user-friendly):
After the failcounter is exceeded, truly reset the failcounter to 0 so that the user would have more attempts before they are locked out again.
I believe #1 would be easier to implement programatically.
Community Thread:
https://community.privacyidea.org/t/failcount-automatic-clearing-and-brute-forcing/1005/3
The text was updated successfully, but these errors were encountered: