Page MenuHomePhabricator
Differential D20019

Add a rate limit for enroll attempts when adding new MFA configurations
ClosedPublic
Actions

Authored by epriestley on Jan 23 2019, 3:29 PM.
Tags
None
Referenced Files
Unknown Object (File)
Fri, Jan 17, 1:19 AM
Unknown Object (File)
Fri, Jan 3, 6:41 AM
Unknown Object (File)
Sun, Dec 22, 4:35 PM
Unknown Object (File)
Sun, Dec 22, 10:07 AM
Unknown Object (File)
Dec 13 2024, 4:28 AM
Unknown Object (File)
Dec 8 2024, 6:26 AM
Unknown Object (File)
Dec 5 2024, 9:17 AM
Unknown Object (File)
Nov 25 2024, 7:52 AM
View All Files
Subscribers
None

Details

Reviewers
amckinley
Maniphest Tasks
T13222: 2018 Week 48-51 Bonus Content
Commits
rP7c1d1c13f4a3: Add a rate limit for enroll attempts when adding new MFA configurations
Summary

Depends on D20018. Ref T13222. When you add a new MFA configuration, you can technically (?) guess your way through it with brute force. It's not clear why this would ever really be useful (if an attacker can get here and wants to add TOTP, they can just add TOTP!) but it's probably bad, so don't let users do it.

This limit is fairly generous because I don't think this actually part of any real attack, at least today with factors we're considering.

Test Plan
  • Added TOTP, guessed wrong a ton of times, got rate limited.
  • Added TOTP, guessed right, got a TOTP factor configuration added to my account.

Diff Detail

Repository
rP Phabricator
Branch
mfa14
Lint
Lint Passed
Unit
Tests Passed
Build Status
Buildable 21644
Build 29515: Run Core Tests
Build 29514: arc lint + arc unit

Revision Contents
Changeset List

PathSize
src/
applications/
auth/
action/
21 lines
settings/
panel/
24 lines

Diff 47791

View Options

src/__phutil_library_map__.php

Loading...
View Options

src/applications/auth/action/PhabricatorAuthNewFactorAction.php

Loading...
View Options

src/applications/settings/panel/PhabricatorMultiFactorSettingsPanel.php

Loading...
Phabricator · Built by Phacility