Type: Technical Documentation
Affects Version/s: None
Fix Version/s: 7.3.10 DXP GA1
Component/s: Application Security > Multi-Factor Authentication
Sprint:Iteration 30, Iteration 31, Iteration 32, Iteration 33, Iteration 34, Iteration 35, Iteration 36
Type of Documentation:Deployment
This feature allows a Portal Instance administrator to configure number of retry attempts and a time interval after a maximum number of retries has been reached in order for the user to be able to try again. This makes it more difficult for a potential attacker to brute force the verifiers, since the system will impose an artificial time interval in which the verifiers will not be available after a number of failed login attempts.
This feature can be configured under Control Panel > Configuration > Instance Settings > Multi-Factor Authentication. In that section there exist two configuration entries:
Number of allowed failed attempts and Retry timeout
both need to be set to a number greater than zero in order for the feature to be enabled.
number of allowed failed attempts: sets the number of failed login attempts that are allowed before the Retry timeout interval time is enforced.
Retry timeout: sets the time interval in which the verifier will not be available to the user after the number of allowed failed attempts has been reached. Once this time has passed the verifier will work normally again for the user.
Technical Documentation Details
- Name of the configuration interface (System Settings): com.liferay.multi.factor.authentication.email.otp.web.internal.checker.MFAEmailOTPConfiguration
- Class(es) and module(s) where this configuration is used:
- Classes: EmailOTPBrowserMFAChecker, MFAPolicy
- Modules: multi-factor-authentication-web, multi-factor-authentication-email-otp-web
- Any, specific implementation details that helps understanding how it works, hints for debugging and fixing: It is implemented in EmailOTPBrowserMFAChecker#verifyBrowserRequest
- What is the effect of setting these values to "-1"? Setting those values to -1 means the feature is disabled.