Throttle second factor attempts #477
Description
TIL, brute-forcing TOTP is much easier than I assumed (yay for checking assumptions!). That applies to other providers as well to varying degrees.
It seems like a simple solution would be to throttle attempts with increasing severity:
| # of Failed Attempts | Delay (seconds) |
|---|---|
| 0 | 0 |
| 1 | 0 |
| 2 | 1 |
| 3 | 3 |
| 4 | 5 |
| 5 | 10 |
| 6 | 20 |
... and so on. There could be a filter on that mapping of attempts -> delay, to allow customization. Implementing it should be straightforward with a usermeta counter, and a sleep() inside login_form_validate_2fa(), and some kind of notice to the user.
After ~8 attempts, though, it may be safest to assume that the password has been compromised, and to force a reset and email the user.