You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Credential stuffing attacks are becoming more common. It may be useful to have a flag which disables or restricts logins to prevent credential stuffing attacks from having a widespread impact. Having a flag allows us to regroup and determine next steps without being on a clock.
We already do a great job by having a IP address rate limit and requiring 2FA (so hopefully accounts of high value have already added 2FA?) and having metrics monitoring for login failures so we'd hopefully never need to use the flag. This feature came up in a discussion about credential stuffing that affected other services. I think a fine outcome of this issue is to decide we don't need such a flag.
Other thoughts:
Maybe can limit logging in to non-2FA accounts instead of all accounts?
Mike also suggested alternatives such as requiring solving a captcha to login instead of disabling logins completely.
The text was updated successfully, but these errors were encountered:
What's the problem this feature will solve?
Credential stuffing attacks are becoming more common. It may be useful to have a flag which disables or restricts logins to prevent credential stuffing attacks from having a widespread impact. Having a flag allows us to regroup and determine next steps without being on a clock.
We already do a great job by having a IP address rate limit and requiring 2FA (so hopefully accounts of high value have already added 2FA?) and having metrics monitoring for login failures so we'd hopefully never need to use the flag. This feature came up in a discussion about credential stuffing that affected other services. I think a fine outcome of this issue is to decide we don't need such a flag.
Other thoughts:
The text was updated successfully, but these errors were encountered: