Open jasonmunro opened 8 years ago
@Danelif please advise.
Alright
I have read this article carefully https://www.owasp.org/index.php/Blocking_Brute_Force_Attacks and found it very relevant. But some techniques are not included in it. If we want to create brute-force login protection, consider including the (2-3) FA technique (2-3 Factor Authentication). The user might provide a unique OTP sent to his email address or mobile phone once the username/password is correct. Also, The limitation of attempting to log in can be considered from a single IP address. If the limit is reached we can suggest the user to recover it password by emailing an OTP to the email in our database.
@Danelif Thank you, please look at how it is done in Tiki to get some more good ideas.
@marclaporte In tiki 2FA is done using Google2FA php library. Good idea indeed. Instead of using OTP, in Tiki, we use TOTP. But the only problem is that there is not much documentation and usage I wonder why?
Some docs:
TOTP uses time, so the code changes every 30 seconds.
lots of great ideas on this here: https://www.owasp.org/index.php/Blocking_Brute_Force_Attacks