cypht icon indicating copy to clipboard operation
cypht copied to clipboard
verified publisher icon cypht-org

Create a brute force login protection module set

Open jasonmunro opened this issue 9 years ago • 8 comments

lots of great ideas on this here: https://www.owasp.org/index.php/Blocking_Brute_Force_Attacks

jasonmunro avatar Jun 28 '16 20:06 jasonmunro

@Danelif please advise.

marclaporte avatar May 07 '24 00:05 marclaporte

Alright

Danelif avatar May 07 '24 07:05 Danelif

I have read this article carefully https://www.owasp.org/index.php/Blocking_Brute_Force_Attacks and found it very relevant. But some techniques are not included in it. If we want to create brute-force login protection, consider including the (2-3) FA technique (2-3 Factor Authentication). The user might provide a unique OTP sent to his email address or mobile phone once the username/password is correct. Also, The limitation of attempting to log in can be considered from a single IP address. If the limit is reached we can suggest the user to recover it password by emailing an OTP to the email in our database.

Danelif avatar May 07 '24 08:05 Danelif

@Danelif Thank you, please look at how it is done in Tiki to get some more good ideas.

marclaporte avatar May 07 '24 16:05 marclaporte

@marclaporte In tiki 2FA is done using Google2FA php library. Good idea indeed. Instead of using OTP, in Tiki, we use TOTP. But the only problem is that there is not much documentation and usage I wonder why?

Danelif avatar May 16 '24 07:05 Danelif

Some docs:

  • https://doc.tiki.org/PluginTOTP
  • https://doc.tiki.org/Two-factor-authentication

TOTP uses time, so the code changes every 30 seconds.

marclaporte avatar May 17 '24 07:05 marclaporte

@marclaporte I have seen how 2FA works in tiki. It could be great to to the same in cypht

Danelif avatar Jul 10 '24 12:07 Danelif

ok, please proceed as a medium priority. High priority is fixing bugs before adding new features.

marclaporte avatar Jul 10 '24 15:07 marclaporte