[Freeipa-users] otp question to limit brute force vector for web applications
Thomas Heil
heil at terminal-consulting.de
Fri May 13 15:24:54 UTC 2016
Hi,
On 13.05.2016 16:12, Petr Spacek wrote:
> On 13.5.2016 15:25, Thomas Heil wrote:
>> Hi,
>>
>> I would like to reduce the vector of brute force attacks in my web
>> application written in php. Users can login via passord and otp which
>> are hosted on freeipa.
>>
>> To achieve this I would like to check the otp first, so no password auth
>> is done on the freeipa server and no user can be locked out.
>>
>> If the otp is correct, the user is now allowed to to login via password+otp.
>>
>> unfortunately, there is no api method that can check only the otp for a
>> user with an identity.
>>
>> Would it be possible to expose such a new method?
>
> This would open a new attack vector so it is a bad idea.
>
> Attacker must not be able to distinguish case where password OR OTP is
> correct/wrong. If you allow this, the attacker will be able to crack OTP first
> and then continue with password, so you are making it easier.
Okay you are right with that. Sorry.
My intention is to avoid to be vulnerable for brute force attacks. I
have a trust with an active directory and want to avoid that the user on
ad side is locked if otp is wrong.
Is this possible?
>
> Do not do that :-)
>
Indeed, I will not do that.
cheers
thomas
More information about the Freeipa-users
mailing list