View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0009645 | Taler | libeufin-bank | public | 2025-03-20 21:12 | 2025-04-17 23:08 |
| Reporter | Antoine A | Assigned To | Antoine A | ||
| Priority | high | Severity | major | Reproducibility | N/A |
| Status | assigned | Resolution | open | ||
| Target Version | post-1.0 | ||||
| Summary | 0009645: Lock account on password auth failure | ||||
| Description | We can't lock an account if password authentication fails, because the client username is public and guessable, which would allow anyone to lock any account, constituting a denial-of-service attack. We have therefore chosen to lock the account if 2FA authentication fails, meaning that only accounts with 2FA are protected. We could use a separate login ID, as some banks do. This ID would be randomly generated and can be rotated when leaked or attacked. | ||||
| Tags | local4local, netzbon, security | ||||
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2025-03-20 21:12 | Antoine A | New Issue | |
| 2025-03-20 21:12 | Antoine A | Status | new => assigned |
| 2025-03-20 21:12 | Antoine A | Assigned To | => Antoine A |
| 2025-04-17 22:37 | Christian Grothoff | Tag Attached: security | |
| 2025-04-17 22:37 | Christian Grothoff | Tag Attached: netzbon | |
| 2025-04-17 23:07 | Christian Grothoff | Tag Attached: local4local | |
| 2025-04-17 23:08 | Christian Grothoff | Target Version | 1.1 => post-1.0 |
