Brute force protection for Auth0

[curtismchale]

Source
CM

We should lock an account if a password has been tried on it 5 times without success. I don't think we should put a time limit on it, or give any indication that they have a limited amount of tries. If there are 5 tries across a few weeks that don't work, we should still lock the account and the user can get in touch with us, or their site rep to get access to their account again.

I'd love to see a log action that we locked an account.

We may need to tweak the timeframe and number of attempts so that users aren't locked out too often.

Tasks

• provide good user feedback via email about why a user account has been locked out and for how long
  • I don't think we want to provide this on the web interface and instead just say the account is "locked" as that would give someone trying passwords information that they didn't have about the capabilities of our systems
  • though it's also likely that the attempts are simply made by a bot which may/maynot be able to read the feedback given