View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0009645 | Taler | libeufin-bank | public | 2025-03-20 21:12 | 2025-04-17 23:08 |
Reporter | Antoine A | Assigned To | Antoine A | ||
Priority | high | Severity | major | Reproducibility | N/A |
Status | assigned | Resolution | open | ||
Target Version | post-1.0 | ||||
Summary | 0009645: Lock account on password auth failure | ||||
Description | We can't lock an account if password authentication fails, because the client username is public and guessable, which would allow anyone to lock any account, constituting a denial-of-service attack. We have therefore chosen to lock the account if 2FA authentication fails, meaning that only accounts with 2FA are protected. We could use a separate login ID, as some banks do. This ID would be randomly generated and can be rotated when leaked or attacked. | ||||
Tags | local4local, netzbon, security | ||||
Date Modified | Username | Field | Change |
---|---|---|---|
2025-03-20 21:12 | Antoine A | New Issue | |
2025-03-20 21:12 | Antoine A | Status | new => assigned |
2025-03-20 21:12 | Antoine A | Assigned To | => Antoine A |
2025-04-17 22:37 | Christian Grothoff | Tag Attached: security | |
2025-04-17 22:37 | Christian Grothoff | Tag Attached: netzbon | |
2025-04-17 23:07 | Christian Grothoff | Tag Attached: local4local | |
2025-04-17 23:08 | Christian Grothoff | Target Version | 1.1 => post-1.0 |