Page MenuHomePhabricator

Tighten some MFA/TOTP parameters to improve resistance to brute force attacks

Authored by epriestley on Dec 18 2018, 2:01 PM.



Depends on D19897. Ref T13222. See some discussion in D19890.

  • Only rate limit users if they're actually answering a challenge, not if they're just clicking "Wait Patiently".
  • Reduce the number of allowed attempts per hour from 100 back to 10.
  • Reduce the TOTP window from +/- 2 timesteps (allowing ~60 seconds of skew) to +/- 1 timestep (allowing ~30 seconds of skew).
  • Change the window where a TOTP response remains valid to a flat 60 seconds instead of a calculation based on windows and timesteps.
Test Plan
  • Hit an MFA prompt.
  • Without typing in any codes, mashed "submit" as much as I wanted (>>10 times / hour).
  • Answered prompt correctly.
  • Mashed "Wait Patiently" as much as I wanted (>>10 times / hour).
  • Guessed random numbers, was rate limited after 10 attempts.

Diff Detail

rP Phabricator
Automatic diff as part of commit; lint not applicable.
Automatic diff as part of commit; unit tests not applicable.