[pve-devel] [PATCH docs] user management: document TFA lockout

Wolfgang Bumiller w.bumiller at proxmox.com
Wed Jun 7 10:49:37 CEST 2023

Signed-off-by: Wolfgang Bumiller <w.bumiller at proxmox.com>
 pveum.adoc | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/pveum.adoc b/pveum.adoc
index 6a0ad17..707e87d 100644
--- a/pveum.adoc
+++ b/pveum.adoc
@@ -579,6 +579,30 @@ documentation for how to use the
 https://www.yubico.com/products/services-software/yubicloud/[YubiCloud] or
 https://developers.yubico.com/Software_Projects/Yubico_OTP/YubiCloud_Validation_Servers/[host your own verification server].
+Limits and lockout of Two-Factor Authentication
+A second factor is meant to protect users if their password is somehow leaked
+or guessed. However, some factors could still be broken by brute force. For
+this reason, users will be locked out after too many failed 2nd factor login
+For TOTP 8 failed attempts will disable the user's TOTP factors. They are
+unlocked when logging in with a recovery key. If TOTP was the only available
+factor, admin intervention is required, and it is highly recommended to require
+the user to change their password immediately.
+Since FIDO2/Webauthn and recovery keys are less susceptible to brute force
+attacks, the limit there is higher, but block all second factors for an hour
+when exceeded.
+An admin can unlock a user's Two-Factor Authentication at any time via the user
+list in the UI or the command line:
+ pveum user tfa unlock joe at pve
 User Configured TOTP Authentication

More information about the pve-devel mailing list