Differential D20019

Add a rate limit for enroll attempts when adding new MFA configurations
ClosedPublic
Actions

Authored by epriestley on Jan 23 2019, 3:29 PM.

Tags

None

Referenced Files

	F15578106: D20019.id47816.diff
	Tue, May 6, 5:38 PM

	F15578104: D20019.id47791.diff
	Tue, May 6, 5:38 PM

	F15578103: D20019.diff
	Tue, May 6, 5:38 PM

	F15550056: D20019.id47791.diff
	Sun, Apr 27, 9:07 AM

	F15504125: D20019.id47791.diff
	Mon, Apr 14, 4:02 PM

	F15504012: D20019.id47816.diff
	Mon, Apr 14, 3:01 PM

	F15498730: D20019.id.diff
	Sun, Apr 13, 2:04 PM

	F15413339: D20019.id47791.diff
	Mar 19 2025, 6:09 PM

Subscribers

None

Details

Reviewers

Maniphest Tasks

T13222: 2018 Week 48-51 Bonus Content

Commits

rP7c1d1c13f4a3: Add a rate limit for enroll attempts when adding new MFA configurations

Summary

Depends on D20018. Ref T13222. When you add a new MFA configuration, you can technically (?) guess your way through it with brute force. It's not clear why this would ever really be useful (if an attacker can get here and wants to add TOTP, they can just add TOTP!) but it's probably bad, so don't let users do it.

This limit is fairly generous because I don't think this actually part of any real attack, at least today with factors we're considering.

Test Plan

Added TOTP, guessed wrong a ton of times, got rate limited.
Added TOTP, guessed right, got a TOTP factor configuration added to my account.

Diff Detail

Repository

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

epriestley created this revision.Jan 23 2019, 3:29 PM

Harbormaster completed remote builds in B21644: Diff 47791.Jan 23 2019, 3:31 PM

epriestley requested review of this revision.Jan 23 2019, 3:31 PM

epriestley added a child revision: D20020: Allow different MFA factor types (SMS, TOTP, Duo, ...) to share "sync" tokens when enrolling new factors.Jan 23 2019, 4:42 PM

amckinley accepted this revision.Jan 23 2019, 6:57 PM

This revision is now accepted and ready to land.Jan 23 2019, 6:57 PM

Closed by commit rP7c1d1c13f4a3: Add a rate limit for enroll attempts when adding new MFA configurations (authored by epriestley). · Explain WhyJan 23 2019, 10:12 PM

This revision was automatically updated to reflect the committed changes.

Revision Contents
Changeset List

Path

Size

src/

__phutil_library_map__.php

applications/

auth/

action/

PhabricatorAuthNewFactorAction.php

21 lines

settings/

panel/

PhabricatorMultiFactorSettingsPanel.php

24 lines

Diff 47816

src/__phutil_library_map__.php

Loading...

src/applications/auth/action/PhabricatorAuthNewFactorAction.php

Loading...

src/applications/settings/panel/PhabricatorMultiFactorSettingsPanel.php

Loading...