search

wso2 / product-is

Welcome to the WSO2 Identity Server source code! For info on working with the WSO2 Identity Server repository and contributing code, click the link below.
http://wso2.github.io/
Apache License 2.0
748 stars 727 forks source link

Unlock time is not changing accordingly #14928

Closed Tiffany-silva closed 2 days ago

Tiffany-silva commented 2 years ago

Describe the issue: The Configuration is as follows,

setup basic auth as 1st step. setup emailotp as 2nd step. setup email and sms otp as 3rd step.

Scenario,

  1. Once user logged into the system with correct username and password it will redirect to email OTP page.
  2. If user enters the OTP incorrectly 2 times it will redirect to multi choice page to select Email or SMS to receive the OTP.
  3. After user select one of the choices it will again redirect to Verification OTP page, If this time, user failed to enter the OTP correctly, the account will be locked.
  4. In the first time of the account being locked the duration should be 2minutes. But after every three times of OTP failures, the unlocktime should increment 2 by 2 factor. (2,4,8,16,32,...) The issue is, The unlock time is not incremented accordingly. So every time the unlock time is for 2 minutes.

The above behavior is observed as the basic authentication step succeeds and the accountlockhandler is triggered to reset the properties [1]. At this step, the http://wso2.org/claims/identity/failedLoginLockoutCount is set to 0 again as the basic auth succeeded. However, when it comes to the OTP verification step, failedLoginLockoutCount is referred[2] and since it is 0 now, the calculated result is incorrect [3].

Expected behavior: The unlocktime should be incremented with consecutive failed login attempts based on OTP verification.

Suggested Solution As a solution to the above scenario, we could use another claim to represent OTP verification attempt and refer to the new claim instead of failedLoginLockoutCount. This way, the incrementing value will be calculated as expected as it is not reset in the accountlockHandler.

Environment information

Regards, Supeshala

[2] https://github.com/wso2-extensions/identity-event-handler-account-lock/blob/1.4.x/components/org.wso2.carbon.identity.handler.event.account.lock/src/main/java/org/wso2/carbon/identity/handler/event/account/lock/AccountLockHandler.java#L312

[3] https://github.com/wso2-extensions/identity-outbound-auth-email-otp/blob/3.0.x/component/authenticator/src/main/java/org/wso2/carbon/identity/authenticator/emailotp/EmailOTPAuthenticator.java#L2495

[4] https://github.com/wso2-extensions/identity-outbound-auth-email-otp/blob/3.0.x/component/authenticator/src/main/java/org/wso2/carbon/identity/authenticator/emailotp/EmailOTPAuthenticator.java#L2503

ruwanta commented 2 years ago

Can we move the account unlock logic to the framework and handle it after the "Success" of the final decision. Failure scenario also we need to handover it at the framework level, not by each authenticator. This way we will not need separate claim. We can keep this information in the authentication context itself as a temporary variable.

In future we could add adaptive script function to control this aspect too if the entire lock unlock handled at the framework.

isharak commented 2 days ago

This issue is being closed due to extended inactivity. Please feel free to reopen it if further attention is needed. Thank you for helping us keep the issue list relevant and focused!