Summary

The system must never block a user account after one or several failed authentication attempts.

Description

Account blocking is a double-edged sword if an attacker is trying to guess an account password and if it is blocked on the third attempt, the account is useless, even for the original owner. Extrapolating this case to an attack on all users, a high impact on availability would be generated if the accounts are blocked.
The recommendation is to set different controls, for example, a captcha on the third attempt, and if the system does not support captcha, resort to incremental delays before each authentication attempt. This mitigates the risk of brute force attacks (which is what the block is intended to do) and does not generate unavailability.

Supported In

This requirement is verified in following services

References

• CAPEC™-2. Inducing account lockout
• CAPEC™-212. Functionality misuse
• CWE™-645. Overly restrictive account lockout mechanism
• MITRE ATT&CK®-M1036. Account use policies
• CMMC-AC_L2-3_1_8. Unsuccessful logon attempts
• OWASP MASVS-AUTH-1. The app uses secure authentication and authorization protocols and follows the relevant best practices

Vulnerabilities

• 087.Account lockout

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.