Matt Konda (Migrated from SEC-2516) said:
Provide capability and reference documentation for setting up the following features related to authentication (extending slightly on existing Spring security capabilities):
- Configurable lockout after N failed attempts
- Auto-unlock after a period of M minutes or via email
- Password reset flow (token + time limit)
- Temporary access pending email confirmation flow (time limited access until email link with token followed)
- Configurable password complexity enforcement
- Notification of password change (configurable to send email)
- Filter to prevent multiple concurrent sessions with the same login
- Support for multi-factor authentication
Idea would be to put each of these as a separate story that is part of this epic.
Inspired by:
https://www.owasp.org/index.php/Authentication_Cheat_Sheet
https://github.com/plataformatec/devise
Matt Konda (Migrated from SEC-2516) said:
Provide capability and reference documentation for setting up the following features related to authentication (extending slightly on existing Spring security capabilities):
Idea would be to put each of these as a separate story that is part of this epic.
Inspired by:
https://www.owasp.org/index.php/Authentication_Cheat_Sheet
https://github.com/plataformatec/devise