[prev in list] [next in list] [prev in thread] [next in thread]
List: wsf-java-dev
Subject: Re: [Dev] User's failed login attempts based adaptive authentication
From: Anuradha Karunarathna <anuradhak () wso2 ! com>
Date: 2018-11-15 14:41:31
Message-ID: CAJyR_uEq0gsS2tBP6YAC9Jsdyscx3qV-+HBzmWnB3J9opUbu=w () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Hi,
Your suggestions for the new claim name[1] are highly appreciated.
[1]https://github.com/wso2/carbon-identity-framework/pull/1975
*Anuradha Karunarathna*
Intern-Software Engineering | WSO2,inc.
On Sat, Nov 10, 2018 at 1:00 PM Anuradha Karunarathna <anuradhak@wso2.com>
wrote:
> Hi,
>
> I have developed a new adaptive authentication script considering the
> number of failed login attempts of a user. Its basic scenario can be
> explained as follows.
>
> Let's consider a scenario where you want to prompt an additional level of
> authentication for a user who has exceeded a specific number of continuous
> failed login attempts. Also, you want to consider the all failed login
> attempts of a user until a successful login attempt even that continuous
> failed attempts are made in several days.
>
> For that purpose, 'Failed Login Attempts' claim is used to keep track of
> the number of failed login attempts of a user. Since this number reset to
> 0 when a successful login happens, a new claim needs to be introduced to
> store the number of failed login attempts just before a successful login
> attempt. Here is the PR for that new claim[1
> <https://github.com/wso2/carbon-identity-framework/pull/1975>].
>
> In order to update the number of failed login attempts, account locking
> under login resident IDP's login policies needs to be enabled. Therefore,
> 'Failed Lockout Count claim' also considered when counting the number of
> failed login attempts just before a success. The changes need to be done in
> AccountLockHandler can be found here[2
> <https://github.com/wso2-extensions/identity-event-handler-account-lock/pull/49>
> ].
>
> Follow instructions in [3
> <https://docs.google.com/document/d/1fHhLDnXtAJYcxx2rZinTF1-SCmZnhh98kFhUicibpFQ/edit?usp=sharing>]
> to test this template with WSO2is-5.7.0.
>
> The implemented script will be added as a default template under script
> based adaptive authentication since it is a common use case.
>
> -Script-
>
> // This variable is used to define the number of invalid attempts allowed
> before prompting the second factor
> var invalidAttemptsToStepup = 3;
>
> var failedLoginAttemptsBeforeSuccessClaim= '
> http://wso2.org/claims/identity/failedLoginAttemptsBeforeSuccess';
>
> function onLoginRequest(context) {
> doLogin(context);
> }
>
> function doLogin(context) {
> executeStep(1, {
> onSuccess : function(context){
> var user = context.steps[1].subject;
> if (isExceedInvalidAttempts(user)) {
> executeStep(2);
> }
> },
> onFail : function(context) {
> // Retry the login..
> doLogin(context);
> }
> });
> }
>
> function isExceedInvalidAttempts(user) {
> if (user.localClaims[failedLoginAttemptsBeforeSuccessClaim] >=
> invalidAttemptsToStepup) {
> return true;
> } else {
> return false;
> }
> }
>
> [1]https://github.com/wso2/carbon-identity-framework/pull/1975
> [2]
> https://github.com/wso2-extensions/identity-event-handler-account-lock/pull/49
> [3]
> https://docs.google.com/document/d/1fHhLDnXtAJYcxx2rZinTF1-SCmZnhh98kFhUicibpFQ/edit?usp=sharing
> *Anuradha Karunarathna*
> Intern-Software Engineering | WSO2,inc.
>
>
>
[Attachment #5 (text/html)]
<div dir="ltr"><div dir="ltr"><div>Hi,</div><div><br></div><div>Your suggestions for \
the new claim name[1] are highly appreciated.</div><div><br></div><div>[1]<a \
href="https://github.com/wso2/carbon-identity-framework/pull/1975">https://github.com/wso2/carbon-identity-framework/pull/1975</a></div><div> \
<br></div><div><div><div dir="ltr" \
class="gmail-m_-726461610459862772gmail_signature"><div dir="ltr"><div><div \
dir="ltr"><div><b>Anuradha Karunarathna</b></div><div>Intern-Software Engineering | \
WSO2,inc.</div><br><div><br></div></div></div></div></div></div><br></div></div></div><br><div \
class="gmail_quote"><div dir="ltr">On Sat, Nov 10, 2018 at 1:00 PM Anuradha \
Karunarathna <<a href="mailto:anuradhak@wso2.com" \
target="_blank">anuradhak@wso2.com</a>> wrote:<br></div><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"><div dir="ltr"><div>Hi,</div><div><br></div><div dir="ltr">I \
have developed a new adaptive authentication script considering the number of failed \
login attempts of a user. Its basic scenario can be explained as follows.</div><div \
dir="ltr"><br></div><div dir="ltr">Let's consider a scenario where you want to \
prompt an additional level of authentication for a user who has exceeded a specific \
number of continuous failed login attempts. Also, you want to consider the all failed \
login attempts of a user until a successful login attempt even that continuous failed \
attempts are made in several days. <br><br>For that purpose, 'Failed Login \
Attempts' claim is used to keep track of the number of failed login attempts of a \
user. Since this number reset to 0 when a successful login happens, a new claim \
needs to be introduced to store the number of failed login attempts just before a \
successful login attempt. Here is the PR for that new claim[<a \
href="https://github.com/wso2/carbon-identity-framework/pull/1975" \
target="_blank">1</a>]. <br><br>In order to update the number of failed login \
attempts, account locking under login resident IDP's login policies needs to be \
enabled. Therefore, 'Failed Lockout Count claim' also considered when \
counting the number of failed login attempts just before a success. The changes need \
to be done in AccountLockHandler can be found here[<a \
href="https://github.com/wso2-extensions/identity-event-handler-account-lock/pull/49" \
target="_blank">2</a>].<br><br></div><div>Follow instructions in [<a \
href="https://docs.google.com/document/d/1fHhLDnXtAJYcxx2rZinTF1-SCmZnhh98kFhUicibpFQ/edit?usp=sharing" \
target="_blank">3</a>] to test this template with WSO2is-5.7.0.<br></div><div \
dir="ltr"> <br>The implemented script will be added as a default template under \
script based adaptive authentication since it is a common use \
case.<br><br>-Script-<br><br><span style="font-family:tahoma,sans-serif">// This \
variable is used to define the number of invalid attempts allowed before prompting \
the second factor<br>var invalidAttemptsToStepup = 3;<br><br>var \
failedLoginAttemptsBeforeSuccessClaim= '<a \
href="http://wso2.org/claims/identity/failedLoginAttemptsBeforeSuccess" \
target="_blank">http://wso2.org/claims/identity/failedLoginAttemptsBeforeSuccess</a>';<br><br>function \
onLoginRequest(context) {<br> doLogin(context);<br>}<br><br>function \
doLogin(context) {<br> executeStep(1, {<br> onSuccess : \
function(context){<br> var user = context.steps[1].subject;<br> \
if (isExceedInvalidAttempts(user)) {<br> executeStep(2);<br> \
}<br> },<br> onFail : function(context) {<br> // Retry the \
login..<br> doLogin(context);<br> }<br> }); <br>}<br><br>function \
isExceedInvalidAttempts(user) {<br> if \
(user.localClaims[failedLoginAttemptsBeforeSuccessClaim] >= \
invalidAttemptsToStepup) {<br> return true;<br> } else {<br> return \
false;<br> }<br>}</span><br><br>[1]<a \
href="https://github.com/wso2/carbon-identity-framework/pull/1975" \
target="_blank">https://github.com/wso2/carbon-identity-framework/pull/1975</a></div><div \
dir="ltr">[2]<a href="https://github.com/wso2-extensions/identity-event-handler-account-lock/pull/49" \
target="_blank">https://github.com/wso2-extensions/identity-event-handler-account-lock/pull/49</a><br>[3]<a \
href="https://docs.google.com/document/d/1fHhLDnXtAJYcxx2rZinTF1-SCmZnhh98kFhUicibpFQ/edit?usp=sharing" \
target="_blank">https://docs.google.com/document/d/1fHhLDnXtAJYcxx2rZinTF1-SCmZnhh98kFhUicibpFQ/edit?usp=sharing</a></div><div><div \
dir="ltr" class="m_-726461610459862772m_-666140968224897071gmail_signature" \
data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><b>Anuradha \
Karunarathna</b></div><div>Intern-Software Engineering | \
WSO2,inc.</div><br><div><br></div></div></div></div></div></div></div> \
</blockquote></div>
_______________________________________________
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic