Well everything can be automated, yes.

I'll explain in more detail.

1. Hacker or myself fails to login 3 times
2. Brute force detection temporarily disables my account
3. I enter my email in the reset password form and submit.
4. An email lands in my inbox
5. Account is still temporarily disabled
6. I prove my identity (or at least access to the email account) and click the reset link in the email
7. Account is unlocked and I get a login session and prompted to update my password

This prevents someone from continuously trying to hack my account and thus keeping me locked out of my account.

It also provides a better experience for someone who has just forgotten his or her password and attempts to login a few too many times.

Just waiting for the account to unlock so the password reset works again isn't more secure in my mind. Just more tedious.

Thoughts?


On Wed, Jul 27, 2016, 14:16 Bruno Oliveira <bruno@abstractj.org> wrote:
On 2016-07-27, Joakim Löfgren wrote:
> Not if you have to click the link in the email for it to be unlocked ?

You know that can be easily automated, right?

>
> On Tue, Jul 26, 2016, 13:34 Bruno Oliveira <bruno@abstractj.org> wrote:
>
> > On 2016-07-26, Joakim Löfgren wrote:
> > > Hey,
> > >
> > > I noticed that if you get your account temporarily locked due to the
> > brute
> > > force detection then you cannot reset your password until the temporary
> > > locked has been lifted.
> > >
> > > Is this behaviour intended ?
> >
> > From what I can tell, this is how it works today and that's intentional.
> > I think that in order to enable password reset for blocked accounts,
> > rate limiting for password reset should be introduced, otherwise, an
> > attacker could try it again.
> >
> > >
> > > We've gotten a few users that become confused when they do not receive a
> > > reset password email, and thus contact us asking for help.
> > >
> > >
> > > Sincerely,
> > > Joakim
> >
> > > _______________________________________________
> > > keycloak-dev mailing list
> > > keycloak-dev@lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >
> >
> > --
> >
> > abstractj
> > PGP: 0x84DC9914
> >

--

abstractj
PGP: 0x84DC9914