jace
commented
5 years ago As of 33fb9b37c880812dad7e37a1fad55fa43a84be54 in #233, phone verification attempts are locked for an hour if an incorrect PIN is provided thrice.
Closed jace closed 5 years ago
jace
commented
5 years ago As of 33fb9b37c880812dad7e37a1fad55fa43a84be54 in #233, phone verification attempts are locked for an hour if an incorrect PIN is provided thrice.
jace
commented
5 years ago Locking should be a client app concern, ideally in the primary app (Funnel or Hasjob). Closing this ticket.
UserEmailandUserPhoneare considered verified data, in that the record exists only if there is a verified link to a user (related: #178). This verification is used to prevent a competingUserEmailClaimorUserPhoneClaimfrom being created.However, email claims are still possible in Hasjob (new job post) and Boxoffice (new order or assignee), as those apps prioritise documents over user principals (see #220). This can be a nuisance for a user who is the target of abuse, or who happens to have a common name email address that others mistakenly assume is theirs (as happens often to @kushaldas).
UserEmailandUserPhoneshould have an optional flag namedlockedthat prevents such email claims from being created unless the user is logged in.There is a related but distinct issue with unwanted email/SMSes to someone who has no interest in creating an account, much less locking it. A solution is briefly discussed in hasgeek/listman#8 but merits a separate ticket.
Caveats:
What happens if there is a hard bounce of email? If the record is removed as per #135 and #160, the locked status goes away as well. There is no equivalent workflow for hard bounce of SMS, unfortunately, as phones are by definition only intermittently reachable.
Does the locked status apply for password reset/account recovery emails? Refusing to send an email/SMS may totally lock the user out. Perhaps this should be an account-level lock (2FA, security questions, etc) instead of an email/phone lock.