Beginning on October 25th, 2016, Persona will no longer be an option for authentication on BMO. For more details see Persona Deprecated.
Last Comment Bug 797930 - If user fails to enter PIN X amount of times lock the account
: If user fails to enter PIN X amount of times lock the account
u=patron c=pmt p=2 w=1
Product: Marketplace
Classification: Server Software
Component: Payments/Refunds (show other bugs)
: 1.0
: All All
: P1 normal (vote)
: 2013-01-10
Assigned To: Wraithan (Chris McDonald) [:wraithan]
Depends on: 827580
Blocks: 825357 marketplace-payments 795105
  Show dependency treegraph
Reported: 2012-10-04 10:21 PDT by Jason Smith [:jsmith]
Modified: 2013-06-09 21:46 PDT (History)
8 users (show)
See Also:
QA Whiteboard:
Iteration: ---
Points: ---


Description Jason Smith [:jsmith] 2012-10-04 10:21:39 PDT
We currently need to handle use cases for when a malicious user tries to launch an attack to guess a user's login for any account in the payment process. This includes:

- The PIN
- The persona account

cc-ing Raymond for input, Maria for UX
Comment 1 Kumar McMillan [:kumar] (needinfo all the things) 2012-10-04 11:21:25 PDT
Account locking for email/password will be handled by Persona and is not something Marketplace can work on (so I guess ask Persona what their policy is?). The Marketplace can only handle PIN locking.

Ray: how many times before we lock out the user? How long do we lock them out for?

Maria: we'll be looking for your help to make sure the lock-out is a friendly user experience that does not inconvenience non-evil people :)
Comment 2 Jason Smith [:jsmith] 2012-10-16 18:20:30 PDT
At-risk feature work can't block at this point can't block based on the discussions in today's b2g meeting.
Comment 3 Wraithan (Chris McDonald) [:wraithan] 2012-10-17 03:02:33 PDT
Also if they PIN lockout do we want to log them out/lock them out of the rest of their account for the duration. Or just lock their PIN and not let them purchase until it is unlocked and they remember it. 

Also are there ways to get around the lock? Such as using a forgotten PIN link that lets you change it?
Comment 4 Jason Smith [:jsmith] 2012-10-17 05:27:11 PDT
(In reply to Jason Smith [:jsmith] from comment #2)
> At-risk feature work can't block at this point can't block based on the
> discussions in today's b2g meeting.

Ignore my comment here btw. Apparently this was a point of confusion on my behalf.
Comment 5 Kumar McMillan [:kumar] (needinfo all the things) 2012-10-22 10:05:57 PDT
I made this bug PIN specific. I believe Persona already filed for their lock-out feature, can't find the bug though.

Making this a P1 since we need this to prevent brute force PIN attacks.
Comment 6 Kumar McMillan [:kumar] (needinfo all the things) 2012-10-22 10:08:28 PDT
Ray, how many incorrect PIN entries before we should lock out a user? Note that they will be logged in with a single Persona account so we probably don't have to try and block IPs or anything.
Comment 7 Maria Sandberg [:mushi] 2012-10-25 14:51:11 PDT
The UX flow for this will be:

- user enters pin incorrectly [n] times
- on last incorrect try the pin screen shows text saying "The pin was entered incorrectly too many times. Sign in to continue".
- two buttons are available: "sign in" and "cancel" 

See page 21-23 in updated specs:
Comment 8 Maria Sandberg [:mushi] 2012-10-25 15:06:13 PDT
Sorry - that's page 21 only. The user will not be asked to reset the pin for this case, just re-authenticate by signing in. After that they can try for [n] more times.
Comment 9 Wraithan (Chris McDonald) [:wraithan] 2012-10-25 15:24:45 PDT
For single device we can simply log them out and force them to log in again when they revisit, but for multiple devices this doesn't hold up.

Even if we remember that they were locked out and when, do we have a way to determining when they log in? We'll need to make sure it was after the point when they were locked out. I don't know much about Persona so maybe this is viable?
Comment 10 Kumar McMillan [:kumar] (needinfo all the things) 2012-10-25 16:09:14 PDT
we need the log out everywhere feature coming soon to Persona.
Comment 11 Wraithan (Chris McDonald) [:wraithan] 2012-10-29 10:16:16 PDT
Ah good stuff. Makes sense now.
Comment 12 Raymond Forbes[:rforbes] 2012-11-05 10:47:48 PST
so, can we force a logout if they fail X amount of PIN attempts?  Off the top of my head, I would say 5.
Comment 13 Maria Sandberg [:mushi] 2012-11-05 13:55:19 PST
(In reply to Raymond Forbes[:rforbes] from comment #12)
> so, can we force a logout if they fail X amount of PIN attempts?  Off the
> top of my head, I would say 5.

Sounds great, I'm down with 5.
Comment 14 Wil Clouser [:clouserw] 2012-11-06 09:43:45 PST
-> wraithan then.  If wraithan is the wrong person, let me know. thanks. :)
Comment 15 Jason Smith [:jsmith] 2012-11-06 13:38:53 PST
Not part of the on-device requirements for ship. Removing nom.
Comment 16 Kumar McMillan [:kumar] (needinfo all the things) 2013-01-07 10:03:19 PST
We need this for the Jan 15th launch
Comment 17 Wraithan (Chris McDonald) [:wraithan] 2013-01-07 12:52:09 PST
Andym is going to take care of this while I work on the auth decorator.
Comment 18 Andy McKay [:andym] 2013-01-07 15:46:52 PST

Adds in locking, passing back to Wraithan.
Comment 19 Wraithan (Chris McDonald) [:wraithan] 2013-01-08 07:16:33 PST
Adding the unlock pin to this as a dependency because otherwise we'll be locking people out without ever letting them back in.
Comment 20 Wraithan (Chris McDonald) [:wraithan] 2013-01-08 07:29:57 PST
Doing the front end for this today.
Comment 22 krupa raj[:krupa] 2013-06-09 21:46:25 PDT
Pin lockout has been implemented.

Note You need to log in before you can comment on or make changes to this bug.