Account Lockout - Elixir

Account Lockout - Elixir

Need

To prevent potential denial of service for valid users via account lockouts.

Context

  • Usage of Elixir for building scalable and fault-tolerant applications
  • Usage of Elixir for building scalable and fault-tolerant applications
  • Usage of user lockout feature for failed authentication attempts

Description

Non compliant code

        defmodule VulnerableApp do
  def login(user, password) do
    case authenticate(user, password) do
      :ok -> {:ok, get_user(user)}
      {:error, :invalid_credentials} -> update_failed_attempts(user)
    end
  end

  defp update_failed_attempts(user) do
    user
    |> increment_failed_attempts()
    |> case do
      %{failed_attempts: 3} -> lock_account(user)
      _ -> :ok
    end
  end
end

This code accepts user credentials and locks the user account after three failed login attempts. An attacker could exploit this by purposely failing login attempts for a targeted user, effectively locking them out of their account.

Steps

  • Implement a delay after each failed authentication attempt, which increases with each attempt. This slows down brute force attacks without locking out legitimate users.
  • Use a CAPTCHA after a certain number of failed attempts to prevent automated brute force attacks.
  • Notify users via email or SMS when their account is locked out due to failed login attempts, and provide them with a way to unlock their account.

Compliant code

        defmodule SecureApp do
  def login(user, password) do
    case authenticate(user, password) do
      :ok -> {:ok, get_user(user)}
      {:error, :invalid_credentials} -> update_failed_attempts(user)
    end
  end

  defp update_failed_attempts(user) do
    user
    |> increment_failed_attempts()
    |> case do
      %{failed_attempts: 3} -> notify_user_and_lock_account(user)
      _ -> :ok
    end
  end
end

This code implements a progressive delay after each failed login attempt, slowing down potential brute force attacks without locking out legitimate users. It also sends a notification to the user when their account is locked, providing a way for legitimate users to unlock their account.

References