0

I have a one time password system implemented for my website using RFC 4226. This password is sent via SMS to a mobile device. The user can only receive the password on their mobile device, and the password expires after 15 minutes.

Users also have the standard alpha-numeric "master password" that is typically used. I have implemented a 3 failure lockout workflow. This lockout lasts for 15 minutes.

My question is from a security standpoint is it acceptable to only lockout the "master password"? Should I allow the user around the lockout policy if they use the one time password feature? Am I opening any kind of security holes?

Tomasz Nurkiewicz
  • 334,321
  • 69
  • 703
  • 674
Josh
  • 16,286
  • 25
  • 113
  • 158

2 Answers2

3

It's not exactly an answer to your question, but when building systems like this you have to keep in mind that usability trumps security every time the two butt heads. The more arduous you make your security policy on end-users, the more they'll be motivated to come up with insecure workarounds to get their jobs done.

Schneier said it better than I can summarize here though, I'd suggest reading up on his stuff there.

jricher
  • 2,663
  • 1
  • 18
  • 17
2

i understand your point of view security vs. usability, i offer you implement static password lockout mechanism, which has become a de-facto standard for almost every website.

here explained really well so i don't need to type again:

Most of the password lockout mechanism today are static, which means, they lock a user out after a certain number of incorrect password attempts. This feature is implemented to prevent brute force attempts against the login functionality. Even though this feature does what it’s supposed to, it has its own shortcomings too. From a security point of view, this feature can be abused by a bad guy to lock most or all of the users by writing a script with all the possible permutations and combinations for a username (which are mostly alphabets, if not alphanumerical), resulting in a denial of service.

From usability point of view, there is always a debate as to the number of attempts to be allowed before locking a user account. Most websites allow 3 attempts while some (very few) allow 5 or sometimes 7.

Intellipass tries to bridge the gap between the security and the usability aspect of this feature. By storing every login attempt of a user, Intellipass can intelligently understand user’s past behavior and act accordingly. For ex. If a user locks himself out every time, then Intellipass will dynamically increase the number of attempts from 3 to 5 or from 5 to 7. On the other hand, if a user logs in first or second time every time he or she tried to login in the past, but for some reason has taken 3 attempts this time, Intellipass will automatically reduce the number of attempts from 7 to 5 or 5 to 3. The second component of Intellipass is throwing in a random captcha or insert a time delay between the login attempts to prevent automated attacks.

Community
  • 1
  • 1
berkay
  • 3,907
  • 4
  • 36
  • 51
  • That's what I have for my lockout. As it stands now, a user can circumvent the lockout by sending a one time password to their phone and signing in with that, or by issuing a password reset, which sends a 256-bit encrypted url to their e-mail to be used within 24 hours to reset a password. My question is whether or not it is a good practice to have these as workarounds to the lockout, which lasts 15 minutes after 3 failed attempts. – Josh Jan 13 '11 at 13:49
  • @Josh, i have never seen 15 min lockout. after 3 failed login, system asks for calling and proofing your identity to get new password. the expiration time for one password is commonly 3 min. – berkay Jan 13 '11 at 15:09