[pbs-devel] [RFC backup 0/6] Two factor authentication

Wolfgang Bumiller w.bumiller at proxmox.com
Wed Dec 2 15:29:15 CET 2020

> On 12/02/2020 3:21 PM Oguz Bektas <o.bektas at proxmox.com> wrote:
> if lockout isn't preferred, another solution would be for example to
> increase the delay in a linear fashion after every failed 2fa auth attempt
> (gets longer to auth for that IP address each time TOTP code failed).
> however this can also be easily bypassed by using proxies etc. during
> bruteforce so i'd prefer a lockout policy instead.

Personally I don't have a problem with locking second factors after
failed attempts because it will tell the user that their password has
most likely been compromised.

Regardless of all that though, this does not need to be subject of
this patch series. Eg. timeouts & lockouts are a general authentication
issue and should be a separate series. And even the TFA-specific ones
can be added afterwards, as that's just metadata and does not touch the
actual WA/TOTP/... implementation itself anyway.

So maybe we should switch the subject on this discussion or start
a new thread? ;-)

More information about the pbs-devel mailing list