mkalioby
commented
3 years ago @xi, I handled these 2 scenarios in branch Better_TOTP, can you please try it and let me know.
Thanks.
Open mkalioby opened 3 years ago
mkalioby
commented
3 years ago @xi, I handled these 2 scenarios in branch Better_TOTP, can you please try it and let me know.
Thanks.
xi
commented
3 years ago I had a quick look at the code. Here are some thoughts:
mkalioby
commented
3 years ago I had a quick look at the code. Here are some thoughts:
Looks good in general
I like that it is self contained, even though I would not have an issue with delegating some of the functionality to django-axes.
I don't have an experience in that and I think it will be good to integrate it under a flag to help admins manage through one system.
- I think those same counter measures could also be useful for other methods, e.g. email.
Good point.
- If I understand correctly this code would store successful login attempts indefinitely. This might be a data protection issue in some legislations. It is also not really required as TOTPs expire quickly. On top of that, the risk of blocking a valid TOTP increases with each successful login.
We can create a management command that clear records older than the predefined window.
- I know from experience with django-axes that users tend to enter the wrong credentials, so an admin UI that allows to review and reset login attempts is crucial.
The code doesn't suspend the users for good, it just suspends the usage of TOTP for some time (cool off period) based onMFA_TOTP_FAILURE_WINDOW setting, so the users can try another method or wait till the suspension is lifted automatically.
TOTP shall be immue against repeat acts and against brute force acts.