CI4 Shield allow max auth fails.

[mihai-vp]

This is a cool idea for the shield library.

But if there was a way to define how many failed auth attemps a user is allowed before forcing them to reset their password.
Im pretty sure password resseting is allready an option.

In the ideal scenario, there is a global variable for shield ($authFailAttempts = 3, for example) where you assign it a number and if a user reaches that number to make them reset their password.

[datamweb]

It's an interesting idea, it seems you can write a custom filter for it.

[mihai-vp]

What would be a high level implementation for this?
Would failed auths be held with the session? And where would you create a filter for this.

Thank you

[lonnieezell]

I know there's been lots of back and forth throughout the security community over the years on the best ways to handle this. The last time I dug into it here's what I came up with. I believe Myth-Auth may have had this implemented but don't recall for sure.

1. never put a hard limit on the number of times someone can try. This causes user dissatisfaction with the site and can lead them to leave the site and not come back.
2. Since that can lead to simple brute-force attempts to hack the account, what you do is to have an initial limit, like the 3 mentioned here, that don't have any restrictions. After that initial limit you progressively force more time to wait between attempts. 5 seconds, then 10, then 20, 30, 45, 60, etc. This makes it too slow for most brute force attempts to care about continuing.
3. you do want to set a maximum wait time between requests, also, though, since you don't want to force them to wait days/weeks/months between attempts.
4. This still leaves you open for DDoS attacks but that is best mitigated by services other than your app, like CloudFlare, etc.

This always struck me as the best compromise between security and usability.

Currently, Shield simply uses CodeIgniter's rate limiting which is a much simpler version of this concept, and probably not quite as effective as what was outlined here.

[mihai-vp]

Very good points.
Could it be like a option to enable auth attempt delays and cap it at 5 minutes between attempt for example eg: 1st attempt 5 sec delay, 2nd 30sec, 3rd 1min, 4th 3min, 5th 5min? So then it's not too much for the user to wait, gives them 8 attempts before capping the delay & gives enough wait time for brute force attackers to give up?

So 3 attempts to get it right, then the delay kicks in.

And DDoS would probably be better handled by a 3rd party like you mentioned.