View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0009645 | Taler | libeufin-bank | public | 2025-03-20 21:12 | 2025-03-20 21:12 |
| Reporter | Antoine A | Assigned To | Antoine A | ||
| Priority | high | Severity | major | Reproducibility | N/A |
| Status | assigned | Resolution | open | ||
| Target Version | 1.1 | ||||
| Summary | 0009645: Lock account on password auth failure | ||||
| Description | We can't lock an account if password authentication fails, because the client username is public and guessable, which would allow anyone to lock any account, constituting a denial-of-service attack. We have therefore chosen to lock the account if 2FA authentication fails, meaning that only accounts with 2FA are protected. We could use a separate login ID, as some banks do. This ID would be randomly generated and can be rotated when leaked or attacked. | ||||
| Tags | No tags attached. | ||||
