Unfortunately in its current configuration an attacker could force a denial of service on a particular user account indefinitely.
If an attacker know's the username of a victim, he/she can lock out a user if you deploy gatekeeper with the throttling enabled, by issuing no less than y fake requests every x minutes which is trivial to discover by probing the auth system and measuring the timings.
Problem:
Using this information leads to a denial of service in which the attacker places y fake requests and leads to gatekeeper locking the username for x minutes, where the attacker then repeats the number of requests, and again locks the account.
Solution:
1) Tie IP addresses into throttle logs and only present the locked page to the IP address which has initiated the login attempt.
Unfortunately in its current configuration an attacker could force a denial of service on a particular user account indefinitely.
If an attacker know's the username of a victim, he/she can lock out a user if you deploy gatekeeper with the throttling enabled, by issuing no less than y fake requests every x minutes which is trivial to discover by probing the auth system and measuring the timings.
Problem: Using this information leads to a denial of service in which the attacker places y fake requests and leads to gatekeeper locking the username for x minutes, where the attacker then repeats the number of requests, and again locks the account.
Solution: 1) Tie IP addresses into throttle logs and only present the locked page to the IP address which has initiated the login attempt.