I want to cover the possible cases of attacking. My application already has capt

Question

I want to cover the possible cases of attacking. My application already has captcha and two-factor authentication, but how can I avoid a tiny attack without annoying my users? The possible cases that I'm thinking to cover are:

1. Show captcha after 3 failed login attempts based on Session, but the problem is that some related articles said it should not be based on ASP.NET session as it somehow could be cleared.

2. Showing the two factor authentication after the captcha, but should I also show the captcha based on the failed count from the previous step? Or I should count from the beginning?

3. Also I'm thinking of blocking the user's IP for a certain period but that might affect other users working from same IP! What if the hacker has a tool for changing the IP periodically?

Could you please advise me, with references if it is possible, what is the best way to cover these security issues?

Explanation / Answer

A relatively user-friendly way of mitigating brute-force attacks is delaying the minimum time between attempts. The first time your user enters wrong credentials, you let him wait 1 second before he can try again. The second time, you let him wait 2 seconds. The 3rd time, you make him wait 4 seconds. 4th time, 8 seconds, and so on. You also base this on the username that is used to authenticate, not any IP addresses. If there hasn't been an attempt in the past 5 minutes (or if the user authenticated successfully), you reset the counter.

The result is that a user that makes a typo in their password isn't affected the first few times, but any brute forcers will very quickly reach a point where brute-forcing is effectively not viable anymore.

Related Questions

Navigate

• Browse (All)
• Browse I
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.