Disable user account after failed logins

[jbenn313]

Priority (High, Medium, Low)

High

Description

The user's account is locked after too many failed login attempts. This is intended to block brute force attacks.

Note: The customer understands that Adobe recommends strongly against implementing this feature.

Acceptance criteria

• The maximum number of failed login attempts will be configurable in the web console. Default value is 5.
• The groups that can be locked out will be configurable. Lockout behavior will only apply to these groups. This allows the lockout behavior to not apply to all users. If the customer wishes, all users (except "admin", see below) can be members of this group.
• Lockout behavior will not apply to the "admin" user. This user must never be locked out of the system.
• When a user is locked out, the system reports invalid credentials. It does not report something like "User account is locked because of too many failed login attempts". Obviously it would be nice to have this, but it is not within the scope of this story. A separate issue for this functionality at https://github.com/jbenn313/itsy-bitsy-spider/issues/3

Technical considerations

• Care must be taken to optimize performance of this feature because all HTTP requests pass through the authentication logic. This could create performance degradation system-wide.

Out of scope

• Messaging to the user that their account is locked out is out of scope for this story/issue. That is addressed in https://github.com/jbenn313/itsy-bitsy-spider/issues/3

[pguasti]

John, our decision is to apply the user block costomization.

Information security and superiors are aware of the risks.

We'll begin with no report, if that turns out to be necessary in the future, I'll let you know!