[Freeipa-users] otp question to limit brute force vector for web applications
Petr Spacek
pspacek at redhat.com
Fri May 13 14:12:46 UTC 2016
On 13.5.2016 15:25, Thomas Heil wrote:
> Hi,
>
> I would like to reduce the vector of brute force attacks in my web
> application written in php. Users can login via passord and otp which
> are hosted on freeipa.
>
> To achieve this I would like to check the otp first, so no password auth
> is done on the freeipa server and no user can be locked out.
>
> If the otp is correct, the user is now allowed to to login via password+otp.
>
> unfortunately, there is no api method that can check only the otp for a
> user with an identity.
>
> Would it be possible to expose such a new method?
This would open a new attack vector so it is a bad idea.
Attacker must not be able to distinguish case where password OR OTP is
correct/wrong. If you allow this, the attacker will be able to crack OTP first
and then continue with password, so you are making it easier.
Do not do that :-)
--
Petr^2 Spacek
More information about the Freeipa-users
mailing list