Security Harden

[AmeerErg]

Hello Everyone,

I have multiple questions regarding to security harden:

1- Is there any configurations i can do on the OTP to prevent brute force? for example if the user failed to enter the OTP 5 times the connection will be terminated.

2- If a user finishes the registration, is there a way that the admin can receive an email with that?

3- Is there a way to link CAPTCHA after the login to prevent brute force?

Appreciate your support.

Best Regards

[redhook62]

Hi @AmeerErg

1- Yes, by default the user can try to enter his code 3 times during 5 minutes. You can enable Anti Replay Feature. See : Security Configuration See : TOTP Provider

2- No, but the user can receive an email, each time his configuration is changed/updated. See : General configuration

3- No, we don't plan to add this feature.

[AmeerErg]

Hi @redhook62,

Thanks for your reply, I tried to enter the OTP 3 times but i was able to login the 4th time (Currently I'm using the default sittings), is it related to the version I'm using?

Please note that the version I'm using is "3.0.2101.0", because I had some issues with the new version.

Thank you.

[redhook62]

Hi @AmeerErg

Yes, 3 retries... So you can change the value to 2

What are the issues with the latest version? because 2101 is one year old. regards

[AmeerErg]

Hello @redhook62,

Just to understand, if my sittings are 300 seconds and 3 retries. The user will not be able to use his OTP for 5 minutes, right?

If yes, unfortunately this did not work for me because even when he enter 5 fake OTP the next real one will work.

Regarding to the issue with the new version, I faced multiple issues:

• could not connect the SQL server for some reason.
• While doing the registration the code never appear and the user will not be validated properly. (Maybe it is related to the first issue)

Thank you and Best Regards

[AmeerErg]

Hi @redhook62,

FYKS on the above.

Best Regards

[redhook62]

Hi, @AmeerErg

Ok, please see : Changelog It's fixed.

For the lastest version, can you describe your problems.

regards

[AmeerErg]

Hello @redhook62,

Appreciate your support, it's working now.

Best Regards

[AmeerErg]

Hello @redhook62,

I had this error when I try to install the new version on one of my servers:

Method not found: 'System.String Neos.IdentityServer.MultiFactor.SQLServerHost.get_SQLPassword()'.

Any ideas?

Thank you.

[AmeerErg]

Also When I tried to run "UnRegister-MFASystem" I got this error:

Method not found: 'Void Neos.IdentityServer.MultiFactor.CFGUtilities.BroadcastNotification(Neos.IdentityServer.MultiFactor.MFAConfig, Neos.IdentityServer.MultiFactor.NotificationsKind, System.String, Boolean)'.

[AmeerErg]

Previous version 3.0.2101.0, new version 3.1.2112.0

[AmeerErg]

I checked the SQL and it is working fine

[redhook62]

@AmeerErg

It Works or Not ???

[AmeerErg]

@redhook62

Yes it worked, for some reason the MFA created another DB, and was pointing on the new DB. When I re-pointed on the old DB it worked.

Thank you @redhook62 for your continues support.

[AmeerErg]

Dear @redhook62,

I have a concern, if I want the user to receive an email each time the configuration changed I only need to check the box in the general configuration.

But is there any SMTP configuration I should do?

Thank you.

[redhook62]

Hi @AmeerErg

Yes, you must check the option in the general settings. You also need to configure your SMTP connection. Go to MFA Providers, deactivate the Provider by email. then select the "Email Multifactor Provider" and fill in the configuration for the smtp server.

Save

regards

[AmeerErg]

Hello @redhook62,

Great, I'll test it now.

Really appreciate you usual and awesome support.

[AmeerErg]

Hi @redhook62, Thank you for the helpful reply.

When a user register for the first time, the email filed will be empty.

Is there a way that this email filed get filled automatically during the registration? because the users will not be notified unless the admin fill the email field. For Example: when a new user register only UPN filed get filled while email does not.

Also regarding to the received email "Your security information has been changed", is there a way that I can modify the template?

Thank you.

[redhook62]

Hi @AmeerErg

Yes !

You have 2 solutions

• Activate the Email Provider (remember to ask for a PIN code) and tell your users that it is necessary to enter their email (professional or personal) as well as a PIN code.
• fill in the emails with the console or with powershell.

regards