Open adunkman opened 3 years ago
One note regarding brute force attempts at logging in. Cognito appears to rate limit failed logins:
We allow five failed sign-in attempts. After that we start temporary lockouts with exponentially increasing times starting at 1 second and doubling after each failed attempt up to about 15 minutes. Attempts during a temporary lockout period are ignored. After the temporary lockout period, if the next attempt fails, a new temporary lockout starts with twice the duration as the last. Waiting about 15 minutes without any attempts will also reset the temporary lockout. Please note that this behavior is subject to change.
I really wish they logged in a place we could see. :sigh:
As introduced in https://github.com/ustaxcourt/ef-cms/pull/719, our Logging in EF-CMS documentation highlights a few key logging blind spots in Cognito:
If we shift approaches to use Cognito through EF-CMS API requests, our standard logging would capture these events.