Availability / No locking mechanism
The API interface concerned does not implement a locking mechanism. During authentication, any number of logon data can be tried without locking the user account.
An attacker can perform a brute force attack without locking user accounts. This allows an attacker to obtain valid credentials.
The most common protection against these attacks is to implement account lockout, which prevents any more login attempts for a period after a certain number of failed logins.
The counter of failed logins should be associated with the account itself, rather than the source IP address, in order to prevent an attacker from making login attempts from a large number of different IP addresses. There are a number of different factors that should be considered when implementing an account lockout policy in order to find a balance between security and usability:
- The number of failed attempts before the account is - locked out (lockout threshold).
- The time period that these attempts must occur within (observation window).
- How long the account is locked out for (lockout duration).
When designing an account lockout system, care must be taken to prevent it from being used to cause a denial of service by locking out other users' accounts. One way this could be performed is to allow the user of the forgotten password functionality to log in, even if the account is locked out.