-
Notifications
You must be signed in to change notification settings - Fork 111
Limit authentication attempts? #77
Comments
Currently there is no limit implemented. If you want to contribute, feel free to create a pull request. |
This feature is really important for security.
The both measures are:
|
Thank you both for your replies! And a great explanation of the security risks, @Spomky!
I would like to contribute. Perhaps you two can help with thinking about the ideal solution? What would be the best way to save the failed attempts? What about adding two fields to the user entity?
And would it be secure to just empty these fields as soon as there is a successful attempt? |
That would definitely be the proper solution. I also thought about storing the data in the session, but then an attacker which has username/password could just drop the session and start from scratch. So there is no alternative to persisting the information somewhere. |
I know that this is an old thread, but surely it would be easier to use fail2ban's existing functionality? It even comes with a handy Symfony bundle |
Thank you for your reply! I'm not really familiar with fail2ban. Could you describe how this would provide a solution for this problem? |
From the fail2ban website: Fail2ban scans log files (e.g. /var/log/apache/error_log) and bans IPs that show the malicious signs -- too many password failures, seeking for exploits, etc. The plugin that is linked to details how to configure this service to work with Symfony applications, although I am pretty certain that extra work will be needed to factor in this bundle. |
Sounds like an interesting solution. But something to keep in mind regarding the user experience: multiple failed attempts are not necessarily hack attempts. It might be a valid user that just isn't able to produce the right Google Authenticator code (for whatever reason). Just shutting those users out by completely blocking their IP is probably not what you want. Suddenly they won't be able to reach the website, without knowing what's going on. A decent error message is much more user friendly, in my opinion. Also: when there's (for instance) a company operating from one IP address multiple failed attempts might come from different users. So you might shut out a whole company when just a few users have trouble producing the right Google Authenticator code. I don't think fail2ban will be able to distinguish those different users? What's your take on this? |
The upcoming 3.0 version provides hooks to implement anti brute-force. See the docs: https://github.com/scheb/two-factor-bundle/blob/master/Resources/doc/brute_force_protection.md |
I really love this bundle!
I've got a question about the security of the Google Authenticator part of the bundle:
Wouldn't it be necessary to limit the authentication attempts? I know every code is only valid for 30 seconds, but that doesn't totally rule out a brute force attack.
What's your take on this? And how to handle with this issue?
The text was updated successfully, but these errors were encountered: