For a single user yes. Is that a big problem though?
If you sleep on the server you'd be able to do a DoS on the whole server (even if
async) with a single machine.
----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: "Stian Thorgersen" <stian(a)redhat.com>
Cc: keycloak-dev(a)lists.jboss.org
Sent: Monday, 17 March, 2014 2:06:43 PM
Subject: Re: [keycloak-dev] Brute force attack protection
On 3/17/2014 9:54 AM, Stian Thorgersen wrote:
> We could do the sleep on the client side. We'd set a flag on the account
> saying it's disabled until some time in the future. If an account is
> locked we can display a page that says wait N seconds (or something), and
> after N seconds redirect redirect to login form using meta refresh.
>
This creates a very easy DoS opportunity.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com