Page MenuHomePhabricator

Add a rate limit for enroll attempts when adding new MFA configurations
ClosedPublic

Authored by epriestley on Jan 23 2019, 3:29 PM.
Tags
None
Referenced Files
F15578106: D20019.id47816.diff
Tue, May 6, 5:38 PM
F15578104: D20019.id47791.diff
Tue, May 6, 5:38 PM
F15578103: D20019.diff
Tue, May 6, 5:38 PM
F15550056: D20019.id47791.diff
Sun, Apr 27, 9:07 AM
F15504125: D20019.id47791.diff
Mon, Apr 14, 4:02 PM
F15504012: D20019.id47816.diff
Mon, Apr 14, 3:01 PM
F15498730: D20019.id.diff
Sun, Apr 13, 2:04 PM
F15413339: D20019.id47791.diff
Mar 19 2025, 6:09 PM
Subscribers
None

Details

Summary

Depends on D20018. Ref T13222. When you add a new MFA configuration, you can technically (?) guess your way through it with brute force. It's not clear why this would ever really be useful (if an attacker can get here and wants to add TOTP, they can just add TOTP!) but it's probably bad, so don't let users do it.

This limit is fairly generous because I don't think this actually part of any real attack, at least today with factors we're considering.

Test Plan
  • Added TOTP, guessed wrong a ton of times, got rate limited.
  • Added TOTP, guessed right, got a TOTP factor configuration added to my account.

Diff Detail

Repository
rP Phabricator
Lint
Lint Not Applicable
Unit
Tests Not Applicable