Comments (9)
The upcoming 3.0 version provides hooks to implement anti brute-force. See the docs: https://github.com/scheb/two-factor-bundle/blob/master/Resources/doc/brute_force_protection.md
from two-factor-bundle.
This feature is really important for security.
As explained un this blog post (approx translation hereafter):
Let TOTP code consists of 6 digits - is 1,000,000 options. And even allowed to enter the code 1 in 1 second and 30 seconds the code lives.
The chance that in 30 attempts in 30 seconds to guess the code - 3/100000 ~ 0.003%. It would seem a little. However, these 30-second windows in the day - 2880 pieces. Total, we guess code probability (even though it is changing) = 1 - (1 - 3/100000) ~ 2880 ~ 8.2%. 10 days of such attempts are already yielding 57.8% success rate. 28 days - 91% success rate.
So we must clearly recognize that you need to implement at least one (and preferably both) of the measures proposed by the authors of the standard.
The both measures are:
- Track the number of unsuccessful attempts to enter the code, and the ability to block the authentication exceed a certain maximum limit. Limit offer to do so small as to be more comfortable to use the service.
- Set delay after a failed entry attempts. And to increase the delay linearly with the number of failed attempts. For example, after the first attempt - setting the delay is 5 seconds, after the second 10 etc ..
from two-factor-bundle.
I know that this is an old thread, but surely it would be easier to use fail2ban's existing functionality? It even comes with a handy Symfony bundle
from two-factor-bundle.
Currently there is no limit implemented. If you want to contribute, feel free to create a pull request.
from two-factor-bundle.
Thank you both for your replies! And a great explanation of the security risks, @Spomky!
If you want to contribute, feel free to create a pull request.
I would like to contribute. Perhaps you two can help with thinking about the ideal solution?
What would be the best way to save the failed attempts? What about adding two fields to the user entity?
- failed attempts counter (integer)
- last failed attempt (timestamp)
And would it be secure to just empty these fields as soon as there is a successful attempt?
from two-factor-bundle.
That would definitely be the proper solution. I also thought about storing the data in the session, but then an attacker which has username/password could just drop the session and start from scratch. So there is no alternative to persisting the information somewhere.
from two-factor-bundle.
Thank you for your reply!
I'm not really familiar with fail2ban. Could you describe how this would provide a solution for this problem?
from two-factor-bundle.
From the fail2ban website:
Fail2ban scans log files (e.g. /var/log/apache/error_log) and bans IPs that show the malicious signs -- too many password failures, seeking for exploits, etc.
The plugin that is linked to details how to configure this service to work with Symfony applications, although I am pretty certain that extra work will be needed to factor in this bundle.
from two-factor-bundle.
Sounds like an interesting solution. But something to keep in mind regarding the user experience: multiple failed attempts are not necessarily hack attempts. It might be a valid user that just isn't able to produce the right Google Authenticator code (for whatever reason). Just shutting those users out by completely blocking their IP is probably not what you want. Suddenly they won't be able to reach the website, without knowing what's going on. A decent error message is much more user friendly, in my opinion.
Also: when there's (for instance) a company operating from one IP address multiple failed attempts might come from different users. So you might shut out a whole company when just a few users have trouble producing the right Google Authenticator code. I don't think fail2ban will be able to distinguish those different users?
What's your take on this?
from two-factor-bundle.
Related Issues (20)
- Use multiple interfaces, one with JWT and API HOT 8
- Resent email authentication code HOT 8
- Type error: Too few arguments to function Scheb\TwoFactorBundle\Controller\FormController::__construct(), 0 passed HOT 2
- Two-factor authentication form is not shown after login HOT 16
- LogoutHandlerInterface is deprecated since Symfony 5.1 HOT 6
- No Two factor form after logging in (no redirect) HOT 7
- User Deprecated HOT 1
- Authenticate two factor in one request (with json_login) HOT 4
- Called providers session value is never unset HOT 4
- How to use the two factor auth in combination with manual authentication HOT 3
- Doesn't work in PROD works in DEV HOT 2
- 2FA by api + jwt HOT 8
- FatalThrowableError in RememberMeServicesDecoratorCompilerPass HOT 4
- impossible to go through page 2fa during login HOT 8
- How to change default path 2fa HOT 1
- Infinite login loop when updating user credentials HOT 2
- Login via email failed HOT 7
- Not prompted for Google Authenticator code on login HOT 14
- 2fa form is not being shown HOT 16
- Session id changes after 2fa succeed. And UsernamePasswordToken cannot be loaded from Redis. HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from two-factor-bundle.