Closed
Bug 797930
Opened 12 years ago
Closed 11 years ago
If user fails to enter PIN X amount of times lock the account
Categories
(Marketplace Graveyard :: Payments/Refunds, defect, P1)
Tracking
(Not tracked)
VERIFIED
FIXED
2013-01-10
People
(Reporter: jsmith, Assigned: wraithan)
References
Details
(Whiteboard: u=patron c=pmt p=2 w=1)
We currently need to handle use cases for when a malicious user tries to launch an attack to guess a user's login for any account in the payment process. This includes: - The PIN - The persona account cc-ing Raymond for input, Maria for UX
Reporter | ||
Updated•12 years ago
|
Blocks: basecamp-payments
Comment 1•12 years ago
|
||
Account locking for email/password will be handled by Persona and is not something Marketplace can work on (so I guess ask Persona what their policy is?). The Marketplace can only handle PIN locking. Ray: how many times before we lock out the user? How long do we lock them out for? Maria: we'll be looking for your help to make sure the lock-out is a friendly user experience that does not inconvenience non-evil people :)
Blocks: 795105
Updated•12 years ago
|
Reporter | ||
Comment 2•12 years ago
|
||
At-risk feature work can't block at this point can't block based on the discussions in today's b2g meeting.
blocking-basecamp: ? → ---
Assignee | ||
Comment 3•12 years ago
|
||
Also if they PIN lockout do we want to log them out/lock them out of the rest of their account for the duration. Or just lock their PIN and not let them purchase until it is unlocked and they remember it. Also are there ways to get around the lock? Such as using a forgotten PIN link that lets you change it?
Reporter | ||
Comment 4•12 years ago
|
||
(In reply to Jason Smith [:jsmith] from comment #2) > At-risk feature work can't block at this point can't block based on the > discussions in today's b2g meeting. Ignore my comment here btw. Apparently this was a point of confusion on my behalf.
blocking-basecamp: --- → ?
Comment 5•12 years ago
|
||
I made this bug PIN specific. I believe Persona already filed for their lock-out feature, can't find the bug though. Making this a P1 since we need this to prevent brute force PIN attacks.
Priority: P2 → P1
Summary: If a user fails to login X amount of times for any account involved, we need to lock the associated account → If user fails to enter PIN X amount of times lock the account
Comment 6•12 years ago
|
||
Ray, how many incorrect PIN entries before we should lock out a user? Note that they will be logged in with a single Persona account so we probably don't have to try and block IPs or anything.
Flags: needinfo?(rforbes)
Comment 7•12 years ago
|
||
The UX flow for this will be: - user enters pin incorrectly [n] times - on last incorrect try the pin screen shows text saying "The pin was entered incorrectly too many times. Sign in to continue". - two buttons are available: "sign in" and "cancel" See page 21-23 in updated specs: https://www.dropbox.com/s/fjr5aqt8mqq8faq/marketplace-id-payments-20121017.pdf
Comment 8•12 years ago
|
||
Sorry - that's page 21 only. The user will not be asked to reset the pin for this case, just re-authenticate by signing in. After that they can try for [n] more times.
Assignee | ||
Comment 9•12 years ago
|
||
For single device we can simply log them out and force them to log in again when they revisit, but for multiple devices this doesn't hold up. Even if we remember that they were locked out and when, do we have a way to determining when they log in? We'll need to make sure it was after the point when they were locked out. I don't know much about Persona so maybe this is viable?
Comment 10•12 years ago
|
||
we need the log out everywhere feature coming soon to Persona. https://bugzilla.mozilla.org/show_bug.cgi?id=797947#c2
Assignee | ||
Comment 11•12 years ago
|
||
Ah good stuff. Makes sense now.
Reporter | ||
Updated•12 years ago
|
Comment 12•12 years ago
|
||
so, can we force a logout if they fail X amount of PIN attempts? Off the top of my head, I would say 5.
Flags: needinfo?(rforbes)
Comment 13•12 years ago
|
||
(In reply to Raymond Forbes[:rforbes] from comment #12) > so, can we force a logout if they fail X amount of PIN attempts? Off the > top of my head, I would say 5. Sounds great, I'm down with 5.
Comment 14•12 years ago
|
||
-> wraithan then. If wraithan is the wrong person, let me know. thanks. :)
Reporter | ||
Comment 15•12 years ago
|
||
Not part of the on-device requirements for ship. Removing nom.
blocking-basecamp: ? → ---
Assignee | ||
Updated•12 years ago
|
Target Milestone: 2012-11-08 → 2012-11-29
Updated•12 years ago
|
Target Milestone: 2012-11-29 → 2012-12-06
Updated•12 years ago
|
Target Milestone: 2012-12-06 → 2012-12-13
Updated•12 years ago
|
Target Milestone: 2012-12-13 → 2012-12-20
Updated•12 years ago
|
Target Milestone: 2012-12-20 → 2013-01-03
Updated•12 years ago
|
Whiteboard: u=patron c=pmt p=2
Comment 16•11 years ago
|
||
We need this for the Jan 15th launch
Target Milestone: 2013-01-03 → 2013-01-10
Assignee | ||
Comment 17•11 years ago
|
||
Andym is going to take care of this while I work on the auth decorator.
Assignee: xwraithanx → amckay
Comment 18•11 years ago
|
||
https://github.com/mozilla/solitude/commit/0f6aa2 https://github.com/mozilla/solitude/commit/6337ca Adds in locking, passing back to Wraithan.
Assignee: amckay → xwraithanx
Assignee | ||
Comment 19•11 years ago
|
||
Adding the unlock pin to this as a dependency because otherwise we'll be locking people out without ever letting them back in.
Depends on: 827580
Assignee | ||
Comment 20•11 years ago
|
||
Doing the front end for this today.
Updated•11 years ago
|
Whiteboard: u=patron c=pmt p=2 → u=patron c=pmt p=2 w=1
Assignee | ||
Comment 21•11 years ago
|
||
https://github.com/mozilla/webpay/commit/8653f561f61c63aeda86f59b45d2558ecb0d78a0 https://github.com/mozilla/solitude/commit/c46508929f510513a9ffc91017a1dc7983630ea3 Front end completed.
Assignee | ||
Updated•11 years ago
|
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•