Page MenuHomePhabricator

Tighten some MFA/TOTP parameters to improve resistance to brute force attacks
ClosedPublic

Authored by epriestley on Dec 18 2018, 2:01 PM.
Tags
None
Referenced Files
F12842066: D19898.id47508.diff
Thu, Mar 28, 9:43 PM
Unknown Object (File)
Fri, Mar 22, 9:47 PM
Unknown Object (File)
Sat, Mar 16, 10:56 PM
Unknown Object (File)
Sun, Mar 10, 4:18 PM
Unknown Object (File)
Wed, Feb 28, 11:35 PM
Unknown Object (File)
Feb 3 2024, 8:22 PM
Unknown Object (File)
Jan 29 2024, 11:55 AM
Unknown Object (File)
Dec 27 2023, 12:59 PM
Subscribers
None

Details

Summary

Depends on D19897. Ref T13222. See some discussion in D19890.

  • Only rate limit users if they're actually answering a challenge, not if they're just clicking "Wait Patiently".
  • Reduce the number of allowed attempts per hour from 100 back to 10.
  • Reduce the TOTP window from +/- 2 timesteps (allowing ~60 seconds of skew) to +/- 1 timestep (allowing ~30 seconds of skew).
  • Change the window where a TOTP response remains valid to a flat 60 seconds instead of a calculation based on windows and timesteps.
Test Plan
  • Hit an MFA prompt.
  • Without typing in any codes, mashed "submit" as much as I wanted (>>10 times / hour).
  • Answered prompt correctly.
  • Mashed "Wait Patiently" as much as I wanted (>>10 times / hour).
  • Guessed random numbers, was rate limited after 10 attempts.

Diff Detail

Repository
rP Phabricator
Lint
Lint Not Applicable
Unit
Tests Not Applicable