Homestyx hydra
Diffusion hydra 7c1d1c13f4a3

Add a rate limit for enroll attempts when adding new MFA configurations
7c1d1c13f4a3
Actions

Description

Add a rate limit for enroll attempts when adding new MFA configurations

Summary:
Depends on D20018. Ref T13222. When you add a new MFA configuration, you can technically (?) guess your way through it with brute force. It's not clear why this would ever really be useful (if an attacker can get here and wants to add TOTP, they can just add TOTP!) but it's probably bad, so don't let users do it.

This limit is fairly generous because I don't think this actually part of any real attack, at least today with factors we're considering.

Test Plan:

  • Added TOTP, guessed wrong a ton of times, got rate limited.
  • Added TOTP, guessed right, got a TOTP factor configuration added to my account.

Reviewers: amckinley

Reviewed By: amckinley

Maniphest Tasks: T13222

Differential Revision: https://secure.phabricator.com/D20019

Details

Provenance
epriestleyAuthored on Jan 23 2019, 10:22 AM
sirocylPushed on Oct 16 2024, 5:49 AM
Parents
R1:e91bc26da685: Don't rate limit users clicking "Wait Patiently" at an MFA gate even if they…
Branches
Unknown
Tags
Unknown

Event Timeline

Changes (3)

PathSize
src/
applications/
auth/
action/
settings/
panel/

R1:7c1d1c13f4a3

View Options

src/__phutil_library_map__.php

Loading...
View Options

src/applications/auth/action/PhabricatorAuthNewFactorAction.php

Loading...
View Options

src/applications/settings/panel/PhabricatorMultiFactorSettingsPanel.php

Loading...
styx copyright 2020 sirocyl / ellie (kymkdd) / ncommander / styx contributors
Use of other names and brands is not intended to reflect a claim of, or right to, use the name or brand.
styx is an operating system using the Linux kernel and components, and "styx Linux" as a phrase does not reflect the inclusion of the Linux brand or trademark in the styx project.
Linux® is the registered trademark of Linus Torvalds in the U.S. and other countries.
Terms and Conditions (TODO: fix this!)