fusionauth-issues icon indicating copy to clipboard operation
fusionauth-issues copied to clipboard
verified publisher icon FusionAuth

Distinguish between "bad password" and "rate-limited account" for failed login attempts

Open chimericdream opened this issue 3 years ago • 5 comments

Problem

When a user is rate-limited based on failed logins (e.g. 5 failed attempts in a 30-minute window), their account is "locked" in every functional sense, except for the fact that it isn't actually "locked" in the technical sense. We wanted to display a message to the user that their account was temporarily unable to log in based on too many failed auth attempts in a short window, but there is currently no way to distinguish a user's first failed login from their 100th.

Solution

It would be nice if there was a separate error message for rate-limited login attempts besides the current [InvalidLogin] one. For example:

[InvalidLogin]=Invalid login credentials. # exists today
[TooManyFailedLoginAttempts]=Too many login attempts. Please wait X minutes and try again.

Alternatives/workarounds

  • Make the current error message longer to explain the different possible reasons for a failed login
  • Basic (JavaScript) tracking of the number of times the the failed login message is displayed, then dynamically replace it with a better one

Community guidelines

All issues filed in this repository must abide by the FusionAuth community guidelines.

How to vote

Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.

chimericdream avatar Jun 27 '22 17:06 chimericdream

This is the intended design.

The intent behind not differentiating is because we didn't want to alert a user trying to brute force an account to slow down and let them figure out the rate limiting cadence. Instead the would be attacker does not know if they are simply entering an invalid credential or if FusionAuth is rate limiting their requests. This way if they are trying to brute force a login, even if they provide validate credentials it will not be apparent.

We could revisit this or allow for a configured behavior - but it is a UX trade off for security - as is all security feature for that matter.

robotdan avatar Jun 27 '22 21:06 robotdan

That makes sense in general. However, even though the user's account is locked for all practical purposes, there's no way for us to determine that this is the case. For instance, if a user is rate-limited and contacts customer service, every piece of data visible to us within the FusionAuth control panel indicates that the user's account is in a functional state. We cannot tell that the user is essentially "soft-locked" or even re-enable the account for them. The best we can do is tell them to wait awhile and try again later.

chimericdream avatar Jun 27 '22 21:06 chimericdream

We could add an API to check if a user is rate limited, and also show that status in the User Manage panel in the UI. Would this help?

robotdan avatar Jul 01 '22 20:07 robotdan

I'm neutral on the API addition (though it would probably be useful), but the second option would definitely be helpful for our customer service. At the moment, if a user cannot log in but everything else appears correct, our CS reps can only guess that the user might be rate-limited. Having an explicit indicator would be invaluable.

chimericdream avatar Jul 01 '22 20:07 chimericdream

Ok, thanks @chimericdream -makes perfect sense. Appreciate the feedback. We should be able to get this into plan.

robotdan avatar Jul 06 '22 06:07 robotdan

hi @robotdan, just came across this issue and it kind of aligns with something we'd like to do as well, allowing to differentiate between "try again later" and "invalidLogin". More as a way to allow the customers to "debug themselves" as it may. I understand the design decision however, it's of course better to be less verbose to withstand any possible brute force attempt.

I wonder if it can be up to the webhook/lambda implementer to decide whether or not a different messaging can be communicated. I'm thinking f.i. into handling a service interruption, the external system being pushed briefly into some kind of maintenance mode. This can be communicated by a 503-ish response and allow the customer to know "hey, I just need to wait" -- with the added possibility of being referred to a status page -- instead of having to either go through a forgot password flow or contact our customer support, which might be less of a desired experience.

Not sure if this truly aligns with the intent of this ticket however, if you think it deserves further following up and a different issue to track the state, I'm happy to move this to a (new?) issue. Lmk

jandeschuttere avatar Nov 15 '22 13:11 jandeschuttere

Hey @robotdan is there anything else like this associated with InvalidLogin error code than:

  • Invalid Username or Password
  • rate-limited account"
  • any update on this issue?

gayuru avatar Jul 02 '23 09:07 gayuru