SEC-2516: Hardening Authentication Controls

[spring-projects-issues]

Matt Konda (Migrated from SEC-2516) said:

Provide capability and reference documentation for setting up the following features related to authentication (extending slightly on existing Spring security capabilities):

• Configurable lockout after N failed attempts
• Auto-unlock after a period of M minutes or via email
• Password reset flow (token + time limit)
• Temporary access pending email confirmation flow (time limited access until email link with token followed)
• Configurable password complexity enforcement
• Notification of password change (configurable to send email)
• Filter to prevent multiple concurrent sessions with the same login
• Support for multi-factor authentication

Idea would be to put each of these as a separate story that is part of this epic.

Inspired by: https://www.owasp.org/index.php/Authentication_Cheat_Sheet https://github.com/plataformatec/devise

[spring-projects-issues]

Matt Konda said:

This original epic is intended for discussion.

I am volunteering to explore working on this if people thing it is worthwhile.

[romeara]

Hi! I just ended up writing something for a project which covered:

• lockout after N attempts
• auto-unlock after m minutes

I'd be interested in contributing something more integrated and stable to the library. The contribution docs said to look into issues and glitter, so I thought asking here would be the best place to start.

Would there be interest in a pull request for just those parts in isolation?