Differential D19898

Tighten some MFA/TOTP parameters to improve resistance to brute force attacks
ClosedPublic
Actions

Authored by epriestley on Dec 18 2018, 2:01 PM.

Tags

None

Referenced Files

	F12189517: D19898.id.diff
	Tue, Sep 19, 4:13 PM

	F12185486: D19898.diff
	Sat, Sep 16, 9:16 AM

	F12166359: D19898.diff
	Thu, Sep 7, 1:25 AM

	F12150436: D19898.id47508.diff
	Sat, Sep 2, 7:01 PM

	F12148828: D19898.id47586.diff
	Sat, Sep 2, 3:09 AM

	Unknown Object (File)
	Jul 17 2023, 4:51 PM

	Unknown Object (File)
	Jul 12 2023, 1:20 PM

	Unknown Object (File)
	Jul 4 2023, 10:26 PM

View All 56 Files

Subscribers

None

Details

Reviewers

Maniphest Tasks

T13222: 2018 Week 48-51 Bonus Content

Commits

rP3da9844564cf: Tighten some MFA/TOTP parameters to improve resistance to brute force attacks

Summary

Depends on D19897. Ref T13222. See some discussion in D19890.

Only rate limit users if they're actually answering a challenge, not if they're just clicking "Wait Patiently".
Reduce the number of allowed attempts per hour from 100 back to 10.
Reduce the TOTP window from +/- 2 timesteps (allowing ~60 seconds of skew) to +/- 1 timestep (allowing ~30 seconds of skew).
Change the window where a TOTP response remains valid to a flat 60 seconds instead of a calculation based on windows and timesteps.

Test Plan

Hit an MFA prompt.
Without typing in any codes, mashed "submit" as much as I wanted (>>10 times / hour).
Answered prompt correctly.
Mashed "Wait Patiently" as much as I wanted (>>10 times / hour).
Guessed random numbers, was rate limited after 10 attempts.

Diff Detail

Repository

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

epriestley created this revision.Dec 18 2018, 2:01 PM

Harbormaster completed remote builds in B21362: Diff 47508.Dec 18 2018, 2:03 PM

epriestley requested review of this revision.Dec 18 2018, 2:03 PM

epriestley mentioned this in T13226: Consider login/session alerts, and other security alerts (for example, around MFA).Dec 18 2018, 2:20 PM

epriestley added a child revision: D19899: Allow objects to be put in an "MFA required for all interactions" mode, and support "MFA required" statuses in Maniphest.Dec 18 2018, 3:19 PM

epriestley mentioned this in D19890: Simplify and correct some challenge TTL lockout code.Dec 18 2018, 8:11 PM

amckinley accepted this revision.Dec 18 2018, 9:57 PM

This revision is now accepted and ready to land.Dec 18 2018, 9:57 PM

Closed by commit rP3da9844564cf: Tighten some MFA/TOTP parameters to improve resistance to brute force attacks (authored by epriestley). · Explain WhyDec 28 2018, 8:10 AM

This revision was automatically updated to reflect the committed changes.

Revision Contents
Changeset List

Path

Size

src/

applications/

auth/

action/

PhabricatorAuthTryFactorAction.php

2 lines

engine/

PhabricatorAuthSessionEngine.php

29 lines

factor/

PhabricatorAuthFactor.php

4 lines

PhabricatorTOTPAuthFactor.php

42 lines

Diff 47586

src/applications/auth/action/PhabricatorAuthTryFactorAction.php

Loading...

src/applications/auth/engine/PhabricatorAuthSessionEngine.php

Loading...

src/applications/auth/factor/PhabricatorAuthFactor.php

Loading...

src/applications/auth/factor/PhabricatorTOTPAuthFactor.php

Loading...