feat: add rate limiting to 2fa attempts #18584
Conversation
Limits specifically calls to the 2FA-related actions: - checking a recovery code - checking a TOTP value - checking a Webauthn value The rate limits were selected to be a balance of usability vs how long it would take a slow-roll actor to continue trying. Metrics are emitted for monitoring and alerting purposes. Refs: pypi#8456 Signed-off-by: Mike Fiedler <miketheman@gmail.com>
There was a problem hiding this comment.
The change in the ratelimit, unless I'm mistaken, means attacks will be 2.4 times slower (so >50% chance of success in 7 months)
The new metrics will surely help measuring the normal "noise" level of users failing to 2FA (assuming those kinds of attacks are rare) (maybe we're about to discover something huge :D )
This will definitely help setting the right thresholds when later pulling out the effective measures that have been discussed (exponential backoff, auto-lockout, ...)
👍 for me and thanks for taking the time to act on this 5-year-old issue :) (issue birthday was just a few days ago) <3
|
@ewjoachim Thanks for the review!
By my math, the "50 per day" is the most restrictive, so you'd need some 20k days to hit all combinations, so even if we assume that you get there in half of the entries, that's still some ~25 years. Unless I can't do math? |
|
I trust your maths more than I trust mine. I think I saw the 50/h and missed the 50/d, but let's redo the maths :) There are 1M possible TOTP codes (000000 to 999999) |
3 participants
Limits specifically calls to the 2FA-related actions:
The rate limits were selected to be a balance of usability vs how long it would take a slow-roll actor to continue trying.
Metrics are emitted for monitoring and alerting purposes.
Refs: #8456