Web - increased security. 2FA for web login + temp block after x failed attempts
Two things that would be great to have for web access that would make it much more secure IMO:
1 - One-time password (1Password, etc).
2 - Block access from IP for m minutes after x failed attempts. Notify via email when this gets triggered.
Hope that is not too difficult to implement. What do you think?
Thanks, James.
1 - One-time password (1Password, etc).
2 - Block access from IP for m minutes after x failed attempts. Notify via email when this gets triggered.
Hope that is not too difficult to implement. What do you think?
Thanks, James.
Comments
Thanks for the suggestions. SecuritySpy does already implement your second suggestion. After 3 failed login attempts, SecuritySpy will start to delay its responses to the client, with increasing delays. Then, after 16 failed attempts, SecuritySpy will block the client for 5 minutes. This basically makes brute-force password guessing attempts impossible, as long as your passwords are reasonably strong. When a client is blocked, a message is written to the web log with the IP address of the client (providing you have enabled the web log under Preferences > Web in SecuritySpy).
As for 2FA, this isn't really compatible with SecuritySpy's current login mechanism, so would require major changes. We'll consider this for the future. However I would say that as long as you use strong passwords, and always connect to your SecuritySpy server using HTTPS, then you are very safe.