MichaelWalker-git
commented
5 months ago Sorry @LeJ84, I did not see this issue until now.
I would recommend leveraging the AWS WAF Captcha
https://docs.aws.amazon.com/waf/latest/developerguide/waf-captcha-and-challenge.html
Or leveraging a custom lambda trigger
You can even enhance it with a lot of the other tools that WAF offers:
https://docs.aws.amazon.com/waf/latest/developerguide/waf-atp.html
Thanks for this example.
I manage to adapt this solution for web too.
I wonder how to manage a brute force attack to find a valid code ?
It seems that the "confirmSignIn"/"SendCustomChallengAnswer" is not protected and can be called without restrictions.
What can be a solution to avoid that ?