FAQ | This is a LIVE service | Changelog

Snippets Groups Projects

Implement exponential lockout

Description

To prevent unauthorized account access, we will implement an exponential lockout for CRSId/Last Name and DoB pairs.

Further details

We will not be storing login attempts against the actual accounts, rather a separate database table will track unsuccessful login attempts with the "username" portion of the login credentials being checked for lockout against this table when a user attempts to log in. Database will need to store:

Identity Key (CRSId or Last Name) (PK) - suggest one field to store either, don't need to make a distinction.
DoB (PK)
number of unsuccessful login attempts
nullable "lockout until" datetime

Task list

Create model to store lockout data
Update login code to:
- Store lockout data on unsuccessful login attempt
  - After 3 unsuccessful logins start settings lockout - start at 10 (default) seconds in the future, then double for each subsequent unsuccessful attempt (including those blocked by the lockout).
  - Number of unsuccessful logins and initial lockout time should be configurable.
- Prevent login if credentials being used are in the lockout table and the current time is before the "lockout until" time - sending back a standard 401.
- Clear lockout data on successful login attempt

Acceptance criteria

User accounts are protected from brute force attempts.

Links/references

0 of 1 checklist item completed · Edited 4 months ago

Designs

Child items ...

Activity

Mike Knee added issuetypeTask teamIdentity workflowNeeds Refinement labels 4 months ago

added issuetypeTask teamIdentity workflowNeeds Refinement labels
Mike Knee added to epic uis/devops&200 (closed) 4 months ago

added to epic uis/devops&200 (closed)
Mike Knee marked this issue as blocking #37 (closed) 4 months ago

marked this issue as blocking #37 (closed)
Mike Knee changed the description 4 months ago

changed the description
Mike Knee added time estimate of 2d 4 months ago

added time estimate of 2d
Mike Knee added workflowSprint Ready label and removed workflowNeeds Refinement label 4 months ago

added workflowSprint Ready label and removed workflowNeeds Refinement label
Mike Knee added stretch-goal label 3 months ago

added stretch-goal label
Mike Knee changed iteration to IAM Sprint Jan 15, 2025 - Jan 28, 2025 3 months ago

changed iteration to IAM Sprint Jan 15, 2025 - Jan 28, 2025
GitLab Automation Bot removed iteration IAM Sprint Jan 15, 2025 - Jan 28, 2025 2 months ago

removed iteration IAM Sprint Jan 15, 2025 - Jan 28, 2025
GitLab Automation Bot changed iteration to IAM Sprint Jan 29, 2025 - Feb 11, 2025 2 months ago

changed iteration to IAM Sprint Jan 29, 2025 - Feb 11, 2025
Mike Knee removed stretch-goal label 2 months ago

removed stretch-goal label
E. Evstafiev assigned to @ee345 2 months ago

assigned to @ee345
E. Evstafiev added workflowIn Progress label and removed workflowSprint Ready label 2 months ago

added workflowIn Progress label and removed workflowSprint Ready label
E. Evstafiev created branch 36-implement-exponential-lockout to address this issue 2 months ago

created branch 36-implement-exponential-lockout to address this issue
E. Evstafiev mentioned in merge request !95 (merged) 2 months ago

mentioned in merge request !95 (merged)
E. Evstafiev added workflowReview Required label and removed workflowIn Progress label 2 months ago

added workflowReview Required label and removed workflowIn Progress label
Sebastiaan ten Pas added workflowUnder Review label and removed workflowReview Required label 2 months ago

added workflowUnder Review label and removed workflowReview Required label
E. Evstafiev mentioned in commit d931b2d8 2 months ago

mentioned in commit d931b2d8

Please register or sign in to reply

Epic

None

Labels

None

Milestone

None

Iteration

None

Weight

None

Due date

None

Health status

None

Confidentiality

Confidentiality controls have moved to the issue actions menu () at the top of the page.

0 Participants