Create a brute force login protection module set

[jasonmunro]

lots of great ideas on this here:
https://www.owasp.org/index.php/Blocking_Brute_Force_Attacks

[marclaporte]

@Danelif please advise.

[Danelif]

Alright

[Danelif]

I have read this article carefully https://www.owasp.org/index.php/Blocking_Brute_Force_Attacks and found it very relevant. But some techniques are not included in it.
If we want to create brute-force login protection, consider including the (2-3) FA technique (2-3 Factor Authentication). The user might provide a unique OTP sent to his email address or mobile phone once the username/password is correct.
Also, The limitation of attempting to log in can be considered from a single IP address. If the limit is reached we can suggest the user to recover it password by emailing an OTP to the email in our database.

[marclaporte]

@Danelif Thank you, please look at how it is done in Tiki to get some more good ideas.

[Danelif]

@marclaporte In tiki 2FA is done using Google2FA php library. Good idea indeed. Instead of using OTP, in Tiki, we use TOTP. But the only problem is that there is not much documentation and usage I wonder why?

[marclaporte]

Some docs:

• https://doc.tiki.org/PluginTOTP
• https://doc.tiki.org/Two-factor-authentication

TOTP uses time, so the code changes every 30 seconds.

[Danelif]

@marclaporte I have seen how 2FA works in tiki. It could be great to to the same in cypht

[marclaporte]

ok, please proceed as a medium priority. High priority is fixing bugs before adding new features.