在 2013-9-6 AM3:25,"Tristan Santore" <tristan.santore(a)internexusconnect.net
写道:
I have another idea. Could we not do a password check, and if the
password is correct, provide the 2fa interface, if then a user does
not enter the 2fa, an email is send to the actual user informing of a
failed login attempt, with the date and time and maybe IP ?
Does this sound more secure to anyone else ?
Wow... that would be great. This is the most serious case we should care
about.
IMHO We should pretend to be "normal" when we meet such case like mailman
subscribe, but I think we also should notify users when $(TIMES) times
wrong password entered. $(TIMES) can be set by users, after limited times
if wrong password comes again we should block the IP.
My blog use plugin with my modification:
If attacker has entered wrong password for 1 times(I set it to 1 because
this case is suitable for me), then if attacker tries to storm my account
for the third time, its IP will be blocked 10000 mins. So I won't receive
too many emails about failed login attempt, but I don't know if Fedora
Infra wants to support this way...