Closed woodbe closed 1 year ago
The timeout period after 10 consecutive attempts being fixed at 30 seconds seems to be limiting of alternative possible solutions that are available on different systems. For example many systems implement blocks of allowed attempts with increasing timeouts between authentication failures (such as every 5 attempts the delay grows in a geometric progression).
Instead of requiring a minimum fixed 30 second timeout after each attempt, provide more flexibility with a minimum time set initially and then some expectations for attempts over time that could be met in a variety of ways (for example 5 attempts need to take at least 2.5 minutes after the initial 10).
https://github.com/biometricITC/cPP-biometrics/issues/401#issuecomment-1402144931
Section - 5.2.3
Page - 33
Line - 1290-1298
Comment
Timeout period of forced 30 seconds after initial limit has been reached
Suggested Change