summary

Users can lock an arbitrary account with knowledge of email

Description

If I know a person's edX email address, I can make multiple wrong login attempts and that will lock this person out of their account. There is no recourse for them to quickly gain back access (see #PLAT-2455).

Instead of locking accounts on failed login attempts, instead issue a challenge (e.g. reCaptcha v2) after X failed login attempts. This is more effective and doesn't allow people to abuse the feature.

Steps to Reproduce

None

Current Behavior

None

Expected Behavior

None

Reason for Variance

None

Release Notes

None

User Impact Summary

None

Activity

Show:

Ivan Trendafilov

June 6, 2019, 2:06 PM

case in point, you can find a person's email fairly easily, then lock them out.

Won't Do

Assignee

Unassigned

Reporter

Ivan Trendafilov

Labels

None

Reach

None

Impact

None

Platform Area

None

Customer

None

Partner Manager

None

URL

None

Contributor Name

None

Groups with Read-Only Access

None

Actual Points

None

Category of Work

None

Platform Map Area (Levels 1 & 2)

None

Platform Map Area (Levels 3 & 4)

None

Priority

Unset

Configure

Cross Team Bugs

Users can lock an arbitrary account with knowledge of email

Description

Steps to Reproduce

Current Behavior

Expected Behavior

Reason for Variance

Release Notes

User Impact Summary

Activity

Assignee

Reporter

Labels

Reach

Impact

Platform Area

Customer

Partner Manager

URL

Contributor Name

Groups with Read-Only Access

Actual Points

Category of Work

Platform Map Area (Levels 1 &amp; 2)

Platform Map Area (Levels 3 &amp; 4)

Priority

Platform Map Area (Levels 1 & 2)

Platform Map Area (Levels 3 & 4)