Users can lock an arbitrary account with knowledge of email

Description

If I know a person's edX email address, I can make multiple wrong login attempts and that will lock this person out of their account. There is no recourse for them to quickly gain back access (see #PLAT-2455).

Instead of locking accounts on failed login attempts, instead issue a challenge (e.g. reCaptcha v2) after X failed login attempts. This is more effective and doesn't allow people to abuse the feature.

Steps to Reproduce

None

Current Behavior

None

Expected Behavior

None

Reason for Variance

None

Release Notes

None

User Impact Summary

None

Activity

Show:
Ivan Trendafilov
June 6, 2019, 2:06 PM

case in point, you can find a person's email fairly easily, then lock them out.

Won't Do

Assignee

Unassigned

Reporter

Ivan Trendafilov

Labels

None

Reach

None

Impact

None

Platform Area

None

Customer

None

Partner Manager

None

URL

None

Contributor Name

None

Groups with Read-Only Access

None

Actual Points

None

Category of Work

None

Platform Map Area (Levels 1 & 2)

None

Platform Map Area (Levels 3 & 4)

None

Priority

Unset