Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Limit OTP guesses to 3 in all contexts #1654

Merged
merged 1 commit into from
Sep 1, 2017
Merged

Limit OTP guesses to 3 in all contexts #1654

merged 1 commit into from
Sep 1, 2017

Conversation

monfresh
Copy link
Contributor

Why: Previously, we allowed unlimited OTP guesses when confirming
a phone number because we didn't think this posed any security risks.
In hindsight this was a poor decision since it can portray our app as
being insecure and affects our reputation and confidence in the system.
We should be defaulting to safe everywhere.

How: Remove any conditional logic that determines whether or not
guesses should be limited. Everyone will now be limited to 3 OTP guesses
regardless of context.

@monfresh monfresh force-pushed the mb-max-otp-attempts branch from 65e5d26 to 4150054 Compare August 31, 2017 15:38
@monfresh
Limit OTP guesses to 3 in all contexts
4150054 
**Why**: Previously, we allowed unlimited OTP guesses when confirming
a phone number because we didn't think this posed any security risks.
In hindsight this was a poor decision since it can portray our app as
being insecure and affects our reputation and confidence in the system.
We should be defaulting to safe everywhere.

**How**: Remove any conditional logic that determines whether or not
guesses should be limited. Everyone will now be limited to 3 OTP guesses
regardless of context.
zachmargolis
zachmargolis approved these changes Aug 31, 2017
View reviewed changes
Copy link
Contributor

@zachmargolis zachmargolis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@zachmargolis
Copy link
Contributor

Should we add a feature spec that checks for being locked out during signup?

@monfresh
Copy link
Contributor Author

That spec is in this PR already. The filename of the spec is misleading. I can move it to a new properly-named spec if you prefer.

@zachmargolis
Copy link
Contributor

Nope, I wasn't looking in the right place. It works! 👍

jmhooper
jmhooper approved these changes Aug 31, 2017
View reviewed changes
Copy link
Member

@jmhooper jmhooper left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

image

Works for me 👍

@monfresh monfresh merged commit f7d7319 into master Sep 1, 2017
@monfresh monfresh deleted the mb-max-otp-attempts branch September 1, 2017 20:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jmhooper jmhooper jmhooper approved these changes

@zachmargolis zachmargolis zachmargolis approved these changes

@brodygov brodygov Awaiting requested review from brodygov

Assignees
No one assigned
Labels
status - ready for review
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@monfresh @zachmargolis @jmhooper