Login strikes work across a cluster
** If a user incorrectly attempts to login on one server and reaches the retry limit, that user should not be able to login on a different server in the same cluster
The MFA plugin also uses the same login strike count / time
Currently they are stored statically in memory. This not only means it won't work correctly for multiple server nodes, but it also throws a wrench into multi-factor authentication. Strikes are cleared upon successful primary login, which means that a user could potentially brute-force the secondary token.
Maybe store this as new columns on the person table
Currently they are stored statically in memory. This not only means it won't work correctly for multiple server nodes, but it also throws a wrench into multi-factor authentication. Strikes are cleared upon successful primary login, which means that a user could potentially brute-force the secondary token.
Maybe store this as new columns on the person table
Imported Issue. Original Details: Jira Issue Key: MIRTH-4347 Reporter: narupley Created: 2018-12-12T12:01:01.000-0800