Users can lock an arbitrary account with knowledge of email
Description
If I know a person's edX email address, I can make multiple wrong login attempts and that will lock this person out of their account. There is no recourse for them to quickly gain back access (see #PLAT-2455).
Instead of locking accounts on failed login attempts, instead issue a challenge (e.g. reCaptcha v2) after X failed login attempts. This is more effective and doesn't allow people to abuse the feature.
Steps to Reproduce
None
Current Behavior
None
Expected Behavior
None
Reason for Variance
None
Release Notes
None
User Impact Summary
None
Activity
Show:
Ivan Trendafilov
June 6, 2019, 2:06 PM
case in point, you can find a person's email fairly easily, then lock them out.
Won't Do
Assignee
Reporter
Labels
None
Reach
None
Impact
None
Platform Area
None
Customer
None
Partner Manager
URL
None
Contributor Name
None
Groups with Read-Only Access
None
Actual Points
None
Category of Work
None
Platform Map Area (Levels 1 & 2)
None
Platform Map Area (Levels 3 & 4)
None
Priority
