Log or alert on failed 2FA codes

WordPress / two-factor

Two-Factor Authentication for WordPress.

https://wordpress.org/plugins/two-factor/

GNU General Public License v2.0

716 stars 148 forks source link

Log or alert on failed 2FA codes #459

Open jeffpaul opened 1 year ago

jeffpaul commented 1 year ago

Logging a placeholder issue from insight shared from @georgestephanis after finding a related tweet on this topic... We should fire off a log or alert to site admins on any failed 2FA code. Or an error_log or something. So if someone has a password but is trying to brute force a code it can get caught.

Lucisu commented 1 year ago

I extended the Two_Factor_Provider class adding the function to log the failure:

https://github.com/WordPress/two-factor/blob/3b694493bb52ba64f286279bd88e5dbedaffaf18/providers/class-two-factor-provider.php#L75-L106

And added it to TOTP:

https://github.com/WordPress/two-factor/blob/3b694493bb52ba64f286279bd88e5dbedaffaf18/providers/class-two-factor-totp.php#L290-L304

Now, other providers can use it.

I guess it's not the better way to use error_log, though.

iandunn commented 1 year ago

Related: #476 would be a good follow-up to this IMO