show captcha after few invalid login

[mshannaq]

Hello

I am thinking of a new feature that shows captcha in login form after few of invalid login to account.

Example scenario:

Some one visit login page
he entered invalid login information for X number
shield check the config to see if he entered invalid for N times
if X > N then the next login form will contains captcha (e.g google reCaptcha) to make the form more hard.
and if reCaptcha shown in the form the user must validate it even if he enter a valid password.

The benefits from not showing the captcha at the beginning is to make the login form easy to use.

and the benefits from showing the captcha after N invalid logins it to make sure that the from is not used by a bot and make it hard to break any password.

[datamweb]

Hello @mshannaq ,
I really enjoy seeing new people join the Shield contributor community, trying to make Shield better every day.
Thank you very much for sharing your idea.

In this regard, you should first note that Shield is a Authentication and Authorization package. The issue you raised seems to be outside the scope of this package.

I invite you to read discussion number #180 . The consensus in this issue was to have a filter for failed attempts, which is now available as auth-rates.

Overall, my personal opinion is that this great feature should be out of the Shield. However, see what others are saying.

[mshannaq]

Hi @datamweb

I'm happy to see 'auth-rates' filter. and it is really can help and reduce the chance of breaking the password.

just for brainstorming (regarding this) let we says:

auth-rates will reduce the time of trying to login for many times made from an IP and this can help securing accounts... but not stopping from trying from other IPs or from that IP after a period of time (which botnet uses that technique)

while csrf_field making sure from > no one can try to login not using the original login form.

while we can use $minimumPasswordLength with $passwordValidators to make sure that users will use hard password.

and that is helpful and secure in my opinion.

But as officials, it is important for us to be aware that we must protect user accounts as we can. this has led me to consider using captcha.

I'm working on CI and shield to create a new web app, and in that project that I am working on, I think that I will go even further. I will be adding fields in the database as well into the users table to lock the user account if he has invalid logins and in the next login try (even from other IPs) I will ask him to do more challenges before he login successfully to his account. and while that is out of shield scope I just post the captcha matter in discussions to collect opinions.

Thanks again and lets see what others are saying.

[kenjis]

I think auth-rate is good but not enough.
If an attacker uses multiple IP addresses, s/he can try more times.

So I'm fine that Shield has account lock feature. If login attempts fail more than X times, lock the account for a while.

[mshannaq]

@kenjis Lock the account without the ability to unlock it immediately after do some extra challenges will interrupt the users and lock the system for period of time.

That mean if we lock the user account for a while without the ability to unlock it will interrupt the user and lock the system and that mostly unacceptable by anyone because botnets can lockdown the system easy

So if the feature lock will be applied it must has the ability to unlock it immediately after do some challenge ( I don't know what kind of challenge but let we think about security code sent to email like 2fa to unlock the account or something like that)

[kenjis]

What do you mean by lock the system?
If a count is locked, only the user cannot log in. The system works except it.

[mshannaq]

What do you mean by lock the system? If a count is locked, only the user cannot log in. The system works except it.

@kenjis Yes you are sure if the account locked one user will be locked and the system works. But imagin that the system has one super user only and it is locked. So the whole admin backend will be locked. And if it has botnet attack it can be locked for long and this will interrupt the admin.

So immediately unlock locked account by do some challenges is the best on my opinion.

For example if 15 invalid try then lock the account until he verify 2fa send to email or something like that and if made it will be unlock the account immediately without need to wait for time.

[kenjis]

Okay, thanks. I got your point!

Shield has magic link login, and you can use it for immediate login.

[mshannaq]

So we can lock the account and push the user to use magic link instead of his account is locked