If user fails to enter PIN X amount of times lock the account

VERIFIED FIXED in 2013-01-10

Status

Marketplace
Payments/Refunds
P1
normal
VERIFIED FIXED
5 years ago
4 years ago

People

(Reporter: jsmith, Assigned: wraithan)

Tracking

2013-01-10
Points:
---
Dependency tree / graph

Details

(Whiteboard: u=patron c=pmt p=2 w=1)

(Reporter)

Description

5 years ago
We currently need to handle use cases for when a malicious user tries to launch an attack to guess a user's login for any account in the payment process. This includes:

- The PIN
- The persona account

cc-ing Raymond for input, Maria for UX
(Reporter)

Updated

5 years ago
Blocks: 794530
Account locking for email/password will be handled by Persona and is not something Marketplace can work on (so I guess ask Persona what their policy is?). The Marketplace can only handle PIN locking.

Ray: how many times before we lock out the user? How long do we lock them out for?

Maria: we'll be looking for your help to make sure the lock-out is a friendly user experience that does not inconvenience non-evil people :)
Blocks: 795105
Assignee: nobody → msandberg
blocking-basecamp: --- → ?
Keywords: uiwanted
Priority: -- → P2
(Reporter)

Comment 2

5 years ago
At-risk feature work can't block at this point can't block based on the discussions in today's b2g meeting.
blocking-basecamp: ? → ---
Also if they PIN lockout do we want to log them out/lock them out of the rest of their account for the duration. Or just lock their PIN and not let them purchase until it is unlocked and they remember it. 

Also are there ways to get around the lock? Such as using a forgotten PIN link that lets you change it?
(Reporter)

Comment 4

5 years ago
(In reply to Jason Smith [:jsmith] from comment #2)
> At-risk feature work can't block at this point can't block based on the
> discussions in today's b2g meeting.

Ignore my comment here btw. Apparently this was a point of confusion on my behalf.
blocking-basecamp: --- → ?
I made this bug PIN specific. I believe Persona already filed for their lock-out feature, can't find the bug though.

Making this a P1 since we need this to prevent brute force PIN attacks.
Priority: P2 → P1
Summary: If a user fails to login X amount of times for any account involved, we need to lock the associated account → If user fails to enter PIN X amount of times lock the account
Ray, how many incorrect PIN entries before we should lock out a user? Note that they will be logged in with a single Persona account so we probably don't have to try and block IPs or anything.
Flags: needinfo?(rforbes)
The UX flow for this will be:

- user enters pin incorrectly [n] times
- on last incorrect try the pin screen shows text saying "The pin was entered incorrectly too many times. Sign in to continue".
- two buttons are available: "sign in" and "cancel" 

See page 21-23 in updated specs:
https://www.dropbox.com/s/fjr5aqt8mqq8faq/marketplace-id-payments-20121017.pdf
Sorry - that's page 21 only. The user will not be asked to reset the pin for this case, just re-authenticate by signing in. After that they can try for [n] more times.
For single device we can simply log them out and force them to log in again when they revisit, but for multiple devices this doesn't hold up.

Even if we remember that they were locked out and when, do we have a way to determining when they log in? We'll need to make sure it was after the point when they were locked out. I don't know much about Persona so maybe this is viable?
we need the log out everywhere feature coming soon to Persona. https://bugzilla.mozilla.org/show_bug.cgi?id=797947#c2
Ah good stuff. Makes sense now.
(Reporter)

Updated

5 years ago
Blocks: 775802
No longer blocks: 794530
so, can we force a logout if they fail X amount of PIN attempts?  Off the top of my head, I would say 5.
Flags: needinfo?(rforbes)
(In reply to Raymond Forbes[:rforbes] from comment #12)
> so, can we force a logout if they fail X amount of PIN attempts?  Off the
> top of my head, I would say 5.

Sounds great, I'm down with 5.
-> wraithan then.  If wraithan is the wrong person, let me know. thanks. :)
Assignee: msandberg → xwraithanx
Keywords: uiwanted
Target Milestone: --- → 2012-11-08
(Reporter)

Comment 15

5 years ago
Not part of the on-device requirements for ship. Removing nom.
blocking-basecamp: ? → ---
(Assignee)

Updated

5 years ago
Target Milestone: 2012-11-08 → 2012-11-29
Target Milestone: 2012-11-29 → 2012-12-06
Target Milestone: 2012-12-06 → 2012-12-13
Target Milestone: 2012-12-13 → 2012-12-20
Target Milestone: 2012-12-20 → 2013-01-03
Whiteboard: u=patron c=pmt p=2
We need this for the Jan 15th launch
Target Milestone: 2013-01-03 → 2013-01-10
Andym is going to take care of this while I work on the auth decorator.
Assignee: xwraithanx → amckay

Comment 18

4 years ago
https://github.com/mozilla/solitude/commit/0f6aa2
https://github.com/mozilla/solitude/commit/6337ca

Adds in locking, passing back to Wraithan.
Assignee: amckay → xwraithanx
Adding the unlock pin to this as a dependency because otherwise we'll be locking people out without ever letting them back in.
Depends on: 827580
Doing the front end for this today.
Whiteboard: u=patron c=pmt p=2 → u=patron c=pmt p=2 w=1
https://github.com/mozilla/webpay/commit/8653f561f61c63aeda86f59b45d2558ecb0d78a0
https://github.com/mozilla/solitude/commit/c46508929f510513a9ffc91017a1dc7983630ea3

Front end completed.
(Assignee)

Updated

4 years ago
Status: NEW → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → FIXED
Blocks: 825357

Comment 22

4 years ago
Pin lockout has been implemented.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.