Is brute-force protection with device cookies possible (OWASP)?

[matthid]

Is your feature request related to a problem? Please describe.

I have read

• https://is.docs.wso2.com/en/latest/deploy/mitigate-attacks/mitigate-brute-force-attacks/
• https://is.docs.wso2.com/en/latest/guides/adaptive-auth/device-based-adaptive-auth/
• https://owasp.org/www-community/Slow_Down_Online_Guessing_Attacks_with_Device_Cookies
• https://owasp.org/www-community/controls/Blocking_Brute_Force_Attacks

And ask myself if it is possible to configure the identity-server in a way to mitigate brute-force in a way suggested by OWASP with device cookies? And if not: This is the feature request for it. This would improve the brute-force protection options of the identity-server. If it is: Maybe we can add a section to "mitigate-brute-force-attacks" on how the configuration would look like.

Describe the solution you would prefer

The solutions in the documentation:

• "Lock the user account after a certain number of failed attempts" -> This allows DOS attacks against identity server
• "Present a reCaptcha after a certain number of failed attempts before trying again" -> This needs an external provider, captchas can be bought with money and it is less user friendly.
• "device-based adaptive authentication" -> As far as I understand it this is after the password has been guessed by the attacker.

Hence the OWASP recommendation would be an improvement over existing solutions. They say:

The protocol is less susceptible to DoS attacks than plain account locking out and yet effective and easy to implement.

Thanks!

[isharak]

This issue is being closed due to extended inactivity. Please feel free to reopen it if further attention is needed. Thank you for helping us keep the issue list relevant and focused!