From: Wolfgang Bumiller <w.bumiller@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [pve-devel] [PATCH docs] user management: document TFA lockout
Date: Wed, 7 Jun 2023 10:49:37 +0200 [thread overview]
Message-ID: <20230607084937.91983-1-w.bumiller@proxmox.com> (raw)
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
---
pveum.adoc | 24 ++++++++++++++++++++++++
1 file changed, 24 insertions(+)
diff --git a/pveum.adoc b/pveum.adoc
index 6a0ad17..707e87d 100644
--- a/pveum.adoc
+++ b/pveum.adoc
@@ -579,6 +579,30 @@ documentation for how to use the
https://www.yubico.com/products/services-software/yubicloud/[YubiCloud] or
https://developers.yubico.com/Software_Projects/Yubico_OTP/YubiCloud_Validation_Servers/[host your own verification server].
+[[pveum_tfa_lockout]]
+Limits and lockout of Two-Factor Authentication
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+A second factor is meant to protect users if their password is somehow leaked
+or guessed. However, some factors could still be broken by brute force. For
+this reason, users will be locked out after too many failed 2nd factor login
+attempts.
+
+For TOTP 8 failed attempts will disable the user's TOTP factors. They are
+unlocked when logging in with a recovery key. If TOTP was the only available
+factor, admin intervention is required, and it is highly recommended to require
+the user to change their password immediately.
+
+Since FIDO2/Webauthn and recovery keys are less susceptible to brute force
+attacks, the limit there is higher, but block all second factors for an hour
+when exceeded.
+
+An admin can unlock a user's Two-Factor Authentication at any time via the user
+list in the UI or the command line:
+
+[source,bash]
+ pveum user tfa unlock joe@pve
+
[[pveum_user_configured_totp]]
User Configured TOTP Authentication
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
--
2.39.2
reply other threads:[~2023-06-07 8:49 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230607084937.91983-1-w.bumiller@proxmox.com \
--to=w.bumiller@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.