2 factor authentication
Christopher Meng
cickumqt at gmail.com
Fri Sep 6 00:23:06 UTC 2013
在 2013-9-6 AM3:25,"Tristan Santore" <tristan.santore at internexusconnect.net
>写道:
> I have another idea. Could we not do a password check, and if the
> password is correct, provide the 2fa interface, if then a user does
> not enter the 2fa, an email is send to the actual user informing of a
> failed login attempt, with the date and time and maybe IP ?
>
> Does this sound more secure to anyone else ?
Wow... that would be great. This is the most serious case we should care
about.
IMHO We should pretend to be "normal" when we meet such case like mailman
subscribe, but I think we also should notify users when $(TIMES) times
wrong password entered. $(TIMES) can be set by users, after limited times
if wrong password comes again we should block the IP.
My blog use plugin with my modification:
If attacker has entered wrong password for 1 times(I set it to 1 because
this case is suitable for me), then if attacker tries to storm my account
for the third time, its IP will be blocked 10000 mins. So I won't receive
too many emails about failed login attempt, but I don't know if Fedora
Infra wants to support this way...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/infrastructure/attachments/20130906/721757cb/attachment.html>
More information about the infrastructure
mailing list