Merge pull request #499 from gmandyam/master

Add Rate Limiting definition to terminology section
w3c · Jun 28, 2017 · 68cc609 · 68cc609
2 parents 119dd51 + 4f3225f
commit 68cc609
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/index.bs b/index.bs
@@ -307,6 +307,12 @@ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "S
     attestation=], the [=credential key pair=] is also used as the [=attestation key pair=], see [=self attestation=]
     for details.
 
+:<dfn>Rate Limiting</dfn>
+:: The process (also known as throttling) by which an authenticator implements controls against brute force attacks by limiting
+    the number of consecutive failed authentication attempts within a given period of time.  If the limit is reached, the authenticator
+    should impose a delay that increases exponentially with each successive attempt, or disable the current authentication modality
+    and offer a different authentication factor if available.  Rate limiting is often implemented as an aspect of [=user verification=].
+
 : <dfn>Registration</dfn>
 :: The [=ceremony=] where a user, a [=[RP]=], and the user's computing device(s) (containing at least one
     [=authenticator=]) work in concert to create a [=public key credential=] and associate it with the user's [=[RP]=] account.