Answers inline, but please keep in mind that some of them are my point
On 2018-02-06, Stian Thorgersen wrote:
Adding my opinions on this
On 5 February 2018 at 13:01, Hynek Mlnarik <hmlnarik(a)redhat.com> wrote:
> please help me clarify the expected behaviour of brute force protection. I
> read the documentation  but I am still not 100% sure about it. I'm more
> after intention rather than actual implementation.
> 1) When should the Failure Reset Time apply? After the first or after last
> failed attempt?
Last failed attempt - it's safer this way
> 2) Should failed login attempts counter be cleared after the first
> successful login or only after failure reset time regardless of the
> successful login?
Only after failure reset time - If there's an ongoing targeted attack on a
specific account this is important, otherwise an attacker would get new
attempts every time the user authenticates (which could be predicted, for
instance 9am every day)
> 3) Should login failures be counted while the account is locked?
No - I don't think this has any impact on safety and would have negative
effects for the user (most users will type the password again to check)
I don't think it has a huge impact on safety, but I disagree here. If
you stop counting, as KC admin you can't tell which accounts are
being targeted. But this is just my personal opinion.
> 4) Should unlocking account in admin console reset login failures counter?
Yes - would be good to have a way to show the count in the admin console
> In other words, what is expected behaviour of the following scenarios
> (questions are in items marked with Q ->)? I intentionally don't suggest
> any correct answer below myself.
> - Permanent lockout: Off
> - Max Lock time: 15 mins
> - Wait Time Increment: 1 min
> - Failure Reset Time: 30 mins
> = Scenario 1 =
> 1.1) User locks its account
> 1.2) Another 3 immediate failed login attempts while account is blocked
> *Q -> *1.3) Check that after (1 or 3?) minutes the account is unlocked
From my understanding it should be incremented at every attempt after
the account was locked, in your scenario 3 min.
> = Scenario 2 =
> 2.1) User locks its account
> 2.2) Wait until account is unlocked (should be 1x Wait Time Increment)
> 2.3) Then do another one failed login attempt.
> *Q -> *2.4) Should the account be locked now or only after next Max Login
IMO only after next Max Login Failure.
> *Q -> *2.5) Wait until account is unlocked (should be 1x or
2x Wait Time
2x wait time increment
> 2.6) Then fail another one login attempt
> *Q -> *2.7) Wait until account is unlocked (should be 1x or 3x Wait Time
3x wait time increment. IMO we should give the KC admin time to respond
to such attack.
> *Q -> *2.8) Wait Failure Reset Time (since first or last
Makes more sense to me after the last failed attempt.
> 2.9) Validate that the user can again lock themselves out only
> Login Failures failed login attempts.
> = Scenario 3 =
> 3.1) User locks its account
> 3.2) Another 20 failed immediate login attempts while account is blocked
> *Q -> *3.3) Check that after (1 or 15?) minutes the account is unlocked
> (Max Lock time is 15 mins)
I believe you meant "Max Wait". I'd say 15 min after the last failure.
> keycloak-dev mailing list
keycloak-dev mailing list