Seems there is no way to lock out "incorrect password attempts", what makes a brute force break in possible. It should be possible to lockout such attempts through a disable user for "some minutes" or permanently, including an internal alert for such situations
I got request from Customer who'd like to buy a big amount of Filr's licenses. They are in trouble because of brute-force/acceidental fails during authentication: because they have lower than 6 failed attempts limit in AD's settings, such attacks/failed logind leads to account lock on the AD side. This is a very serious problem for they and they need solution for this case.
CAPTCHA isn't a real solution:
- limit for CAPTCHA is 6 failed attempts and cannnot be changed as this setting is hardcoded and cannot be changed by using Filr Administrator Console
- CAPTCHA, as far as I know, is an external service anf in the case f there is no connection with Internet, cannot be used. Probable I'm wrong here but if I'm right - this is a serious thing against CAPTCHA. Anyway we're dependent on third-party because of that and this is not a really good thing in my understanding
There are other ways to solve this like NAM or Microsoft ADFS - but it leads to additional extra costs which makes Filr more expensive for Customer and, as a result, interest to Filr may be impacted.
Solution, in my understanding, will be realized as something like Filr Intruder Lockout Policy/Policies like we have in other of our products. Filr Admnistrator will be able to manage Failed Attempts Lmit and make it lower that similar setting for eDir/AD, in this case only Filr Account will be locked but not eDir/AD/LDAP account itself. This is exactly what Customer wants to have in Filr, please think about it.
I'm not a developer so can't evaluate additional costs for such Feature, but, as we hve this functionality in our products like iManager which uses Tomcat as well as Filr as a platform, I hope these costs will not be very high and Feature may be realized fast enough.
This isn't a real Stopper for this deal as far as I know, but one of the hardest moment we have at the moment. If Feature will be realized soon enough, our life will be much more easier.