Page MenuHomePhabricator

Tighten some MFA/TOTP parameters to improve resistance to brute force attacks
ClosedPublic

Authored by epriestley on Dec 18 2018, 2:01 PM.
Tags
None
Referenced Files
Unknown Object (File)
Fri, Dec 20, 8:39 PM
Unknown Object (File)
Fri, Dec 20, 7:34 PM
Unknown Object (File)
Fri, Dec 20, 11:58 AM
Unknown Object (File)
Tue, Dec 17, 9:09 PM
Unknown Object (File)
Sat, Dec 14, 5:53 PM
Unknown Object (File)
Fri, Dec 13, 8:33 AM
Unknown Object (File)
Thu, Dec 5, 1:36 PM
Unknown Object (File)
Tue, Dec 3, 10:46 AM
Subscribers
None

Details

Summary

Depends on D19897. Ref T13222. See some discussion in D19890.

  • Only rate limit users if they're actually answering a challenge, not if they're just clicking "Wait Patiently".
  • Reduce the number of allowed attempts per hour from 100 back to 10.
  • Reduce the TOTP window from +/- 2 timesteps (allowing ~60 seconds of skew) to +/- 1 timestep (allowing ~30 seconds of skew).
  • Change the window where a TOTP response remains valid to a flat 60 seconds instead of a calculation based on windows and timesteps.
Test Plan
  • Hit an MFA prompt.
  • Without typing in any codes, mashed "submit" as much as I wanted (>>10 times / hour).
  • Answered prompt correctly.
  • Mashed "Wait Patiently" as much as I wanted (>>10 times / hour).
  • Guessed random numbers, was rate limited after 10 attempts.

Diff Detail

Repository
rP Phabricator
Lint
Lint Not Applicable
Unit
Tests Not Applicable