Differential D19898

Tighten some MFA/TOTP parameters to improve resistance to brute force attacks
ClosedPublic
Actions

Authored by epriestley on Dec 18 2018, 2:01 PM.

Tags

None

Referenced Files

	Unknown Object (File)
	Tue, Jan 28, 4:26 AM

	Unknown Object (File)
	Tue, Jan 28, 4:26 AM

	Unknown Object (File)
	Tue, Jan 28, 4:26 AM

	Unknown Object (File)
	Sat, Jan 25, 3:56 PM

	Unknown Object (File)
	Sat, Jan 25, 2:52 AM

	Unknown Object (File)
	Sat, Jan 25, 2:52 AM

	Unknown Object (File)
	Sat, Jan 25, 2:52 AM

	Unknown Object (File)
	Tue, Jan 21, 9:34 AM

Subscribers

None

Details

Reviewers

Maniphest Tasks

T13222: 2018 Week 48-51 Bonus Content

Commits

rP3da9844564cf: Tighten some MFA/TOTP parameters to improve resistance to brute force attacks

Summary

Depends on D19897. Ref T13222. See some discussion in D19890.

Only rate limit users if they're actually answering a challenge, not if they're just clicking "Wait Patiently".
Reduce the number of allowed attempts per hour from 100 back to 10.
Reduce the TOTP window from +/- 2 timesteps (allowing ~60 seconds of skew) to +/- 1 timestep (allowing ~30 seconds of skew).
Change the window where a TOTP response remains valid to a flat 60 seconds instead of a calculation based on windows and timesteps.

Test Plan

Hit an MFA prompt.
Without typing in any codes, mashed "submit" as much as I wanted (>>10 times / hour).
Answered prompt correctly.
Mashed "Wait Patiently" as much as I wanted (>>10 times / hour).
Guessed random numbers, was rate limited after 10 attempts.

Diff Detail

Repository

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

epriestley created this revision.Dec 18 2018, 2:01 PM

Harbormaster completed remote builds in B21362: Diff 47508.Dec 18 2018, 2:03 PM

epriestley requested review of this revision.Dec 18 2018, 2:03 PM

epriestley mentioned this in T13226: Consider login/session alerts, and other security alerts (for example, around MFA).Dec 18 2018, 2:20 PM

epriestley added a child revision: D19899: Allow objects to be put in an "MFA required for all interactions" mode, and support "MFA required" statuses in Maniphest.Dec 18 2018, 3:19 PM

epriestley mentioned this in D19890: Simplify and correct some challenge TTL lockout code.Dec 18 2018, 8:11 PM

amckinley accepted this revision.Dec 18 2018, 9:57 PM

This revision is now accepted and ready to land.Dec 18 2018, 9:57 PM

Closed by commit rP3da9844564cf: Tighten some MFA/TOTP parameters to improve resistance to brute force attacks (authored by epriestley). · Explain WhyDec 28 2018, 8:10 AM

This revision was automatically updated to reflect the committed changes.

Revision Contents
Changeset List

Path

Size

src/

applications/

auth/

action/

PhabricatorAuthTryFactorAction.php

2 lines

engine/

PhabricatorAuthSessionEngine.php

29 lines

factor/

PhabricatorAuthFactor.php

4 lines

PhabricatorTOTPAuthFactor.php

42 lines

Diff 47586

src/applications/auth/action/PhabricatorAuthTryFactorAction.php

Loading...

src/applications/auth/engine/PhabricatorAuthSessionEngine.php

Loading...

src/applications/auth/factor/PhabricatorAuthFactor.php

Loading...

src/applications/auth/factor/PhabricatorTOTPAuthFactor.php

Loading...