[Freeipa-users] otp question to limit brute force vector for web applications
Martin Kosek
mkosek at redhat.com
Mon May 16 13:24:25 UTC 2016
On 05/13/2016 05:24 PM, Thomas Heil wrote:
> Hi,
>
> On 13.05.2016 16:12, Petr Spacek wrote:
>> On 13.5.2016 15:25, Thomas Heil wrote:
>>> Hi,
>>>
>>> I would like to reduce the vector of brute force attacks in my web
>>> application written in php. Users can login via passord and otp which
>>> are hosted on freeipa.
>>>
>>> To achieve this I would like to check the otp first, so no password auth
>>> is done on the freeipa server and no user can be locked out.
>>>
>>> If the otp is correct, the user is now allowed to to login via password+otp.
>>>
>>> unfortunately, there is no api method that can check only the otp for a
>>> user with an identity.
>>>
>>> Would it be possible to expose such a new method?
>>
>> This would open a new attack vector so it is a bad idea.
>>
>> Attacker must not be able to distinguish case where password OR OTP is
>> correct/wrong. If you allow this, the attacker will be able to crack OTP first
>> and then continue with password, so you are making it easier.
>
> Okay you are right with that. Sorry.
>
> My intention is to avoid to be vulnerable for brute force attacks. I
> have a trust with an active directory and want to avoid that the user on
> ad side is locked if otp is wrong.
>
> Is this possible?
Not at the moment. We have an RFE filed, but we cannot augment AD user
authentication with OTP yet:
https://fedorahosted.org/freeipa/ticket/4876
Martin
More information about the Freeipa-users
mailing list