concept: fuzzy authentication
fuzzy authentication could take into account some "AI" and evaluate factors like
- the IP address
- when was the last time, the user authenticated (he probably will not authenticate every two minutes)
- what time is it
It could learn authentication behaviour and
- trigger an alarm if threshold_A is exceeded
- deny acces if threshold_B is exceeded
We could start with simple limits:
- max_auth_success=1/5m
- max_auth_fail=10/24h
maximum of 1 successfuly authentication per 5 minutes and a maximum of 10 failed authentications per 24h.
To do this, we could grab the information from the audit-log and search for failed auth events of the user and successful auth events. This would be policies in the scope "authorization" - since these evaluations occur after a user was authenticated (i.e. if the user enters a valid OTP-value, but fails due to max_auth_success, the OTP-value must not be usable anymore).
Again - we could implement this as decorators to modify the authentication behavious.
If auth_max_fail is reached, an authentication (even a successful) is not allowed anymore.
If an auth_max_fail policy is defined, maybe the original failcounter should not be used. It might be increased and resetted but it should not be checked.
Thus - if you disable the auth_max_fail policy again - you can go on with the existing failcounter values.