Account Lockout
Need
To prevent potential denial of service for valid users via account lockouts.
Context
• Usage of Elixir for building scalable and fault-tolerant applications
• Usage of Elixir for building scalable and fault-tolerant applications
• Usage of user lockout feature for failed authentication attempts
Description
1. Non compliant code
defmodule VulnerableApp do
def login(user, password) do
case authenticate(user, password) do
:ok -> {:ok, get_user(user)}
{:error, :invalid_credentials} -> update_failed_attempts(user)
end
end
defp update_failed_attempts(user) do...This code accepts user credentials and locks the user account after three failed login attempts. An attacker could exploit this by purposely failing login attempts for a targeted user, effectively locking them out of their account.
2. Steps
• Implement a delay after each failed authentication attempt, which increases with each attempt. This slows down brute force attacks without locking out legitimate users.
• Use a CAPTCHA after a certain number of failed attempts to prevent automated brute force attacks.
• Notify users via email or SMS when their account is locked out due to failed login attempts, and provide them with a way to unlock their account.
3. Secure code example
defmodule SecureApp do
def login(user, password) do
case authenticate(user, password) do
:ok -> {:ok, get_user(user)}
{:error, :invalid_credentials} -> update_failed_attempts(user)
end
end
defp update_failed_attempts(user) do...This code implements a progressive delay after each failed login attempt, slowing down potential brute force attacks without locking out legitimate users. It also sends a notification to the user when their account is locked, providing a way for legitimate users to unlock their account.
References
• 087. Account Lockout