We currently need to handle use cases for when a malicious user tries to launch an attack to guess a user's login for any account in the payment process. This includes:
- The PIN
- The persona account
cc-ing Raymond for input, Maria for UX
Account locking for email/password will be handled by Persona and is not something Marketplace can work on (so I guess ask Persona what their policy is?). The Marketplace can only handle PIN locking.
Ray: how many times before we lock out the user? How long do we lock them out for?
Maria: we'll be looking for your help to make sure the lock-out is a friendly user experience that does not inconvenience non-evil people :)
At-risk feature work can't block at this point can't block based on the discussions in today's b2g meeting.
Also if they PIN lockout do we want to log them out/lock them out of the rest of their account for the duration. Or just lock their PIN and not let them purchase until it is unlocked and they remember it.
Also are there ways to get around the lock? Such as using a forgotten PIN link that lets you change it?
(In reply to Jason Smith [:jsmith] from comment #2)
> At-risk feature work can't block at this point can't block based on the
> discussions in today's b2g meeting.
Ignore my comment here btw. Apparently this was a point of confusion on my behalf.
I made this bug PIN specific. I believe Persona already filed for their lock-out feature, can't find the bug though.
Making this a P1 since we need this to prevent brute force PIN attacks.
Ray, how many incorrect PIN entries before we should lock out a user? Note that they will be logged in with a single Persona account so we probably don't have to try and block IPs or anything.
The UX flow for this will be:
- user enters pin incorrectly [n] times
- on last incorrect try the pin screen shows text saying "The pin was entered incorrectly too many times. Sign in to continue".
- two buttons are available: "sign in" and "cancel"
See page 21-23 in updated specs:
Sorry - that's page 21 only. The user will not be asked to reset the pin for this case, just re-authenticate by signing in. After that they can try for [n] more times.
For single device we can simply log them out and force them to log in again when they revisit, but for multiple devices this doesn't hold up.
Even if we remember that they were locked out and when, do we have a way to determining when they log in? We'll need to make sure it was after the point when they were locked out. I don't know much about Persona so maybe this is viable?
we need the log out everywhere feature coming soon to Persona. https://bugzilla.mozilla.org/show_bug.cgi?id=797947#c2
Ah good stuff. Makes sense now.
so, can we force a logout if they fail X amount of PIN attempts? Off the top of my head, I would say 5.
(In reply to Raymond Forbes[:rforbes] from comment #12)
> so, can we force a logout if they fail X amount of PIN attempts? Off the
> top of my head, I would say 5.
Sounds great, I'm down with 5.
-> wraithan then. If wraithan is the wrong person, let me know. thanks. :)
Not part of the on-device requirements for ship. Removing nom.
We need this for the Jan 15th launch
Andym is going to take care of this while I work on the auth decorator.
Adds in locking, passing back to Wraithan.
Adding the unlock pin to this as a dependency because otherwise we'll be locking people out without ever letting them back in.
Doing the front end for this today.
Front end completed.
Pin lockout has been implemented.