Jump to content

Show all accounts with log in attempts fail?

Ocean West

By Ocean West
in Technical Problems

 Share

Recommended Posts

Ocean West Grand Master

Ocean West

Posted
Posted

I've had a few accounts locked yesterday

Account locked from logging in using this IP address until 03/11/2021 09:56 PM following 3 unsuccessful login attempts.

Four of them are Moderators - the IP address is 178.239.198.133 and 185.217.117.75

When i go to the Members -> Locked there is nothing in the list. 

  • Management
Matt Grand Master

Matt

Posted
  • Management
Posted

Do you use Username/Password log in? If so, I'd recommend switching to email/password as this will be harder to brute force.

Ocean West Grand Master

Ocean West

Posted
  • Author
Posted

@Matt I see i have the legacy Display Name or Email Address - if i change it what happens to people who have a defunct email account? 

 

Also how do i see all locked accounts or failed login attempts to see if there are additional IP addresses? 

 

CoffeeCake Veteran

CoffeeCake

Posted
Posted
1 hour ago, Ocean West said:

Some are old school they don't have a smart phone.

Ahh! This is what the Authy question is about. You'd want the text/call option then that Authy provides. My guess is that your moderators aren't going to be as huge a cost as rolling this out to your general membership.

CoffeeCake Veteran

CoffeeCake

Posted
Posted
4 minutes ago, Ocean West said:

Thanks 🙏 - i totally missed this option now enabled it and have added added a bunch of questions..

The not wonderful thing about this option is that these answers are viewable in ACP with no auditing of who is viewing them. This is terrible from a security perspective.

Be careful who has access to view and edit two-factor authentication in member profiles in ACP. I'd recommend turning this off for all administrator groups including your own.

Ocean West Grand Master

Ocean West

Posted
  • Author
Posted

Yea that is odd I would expect these to be one way encrypted just like the password is. 

It seems would also need to be a second set of admin questions if user needs to verify themselves to an admin. 🤷‍♂️

CoffeeCake Veteran

CoffeeCake

Posted
Posted
3 minutes ago, Ocean West said:

Yea that is odd I would expect these to be one way encrypted just like the password is. 

I can see a use case for some organizations where this exchange may happen over the phone and that the answers (depending on the questions) may be such where visual inspection of the provided answers could be a part of what happens for identity validation.

That said though, I think it's important that accessing those answers be considered a heightened privilege event. The option should exist to require the administrator to reauthenticate along with their own 2FA if configured as such, and should record an audit trail that the information was accessed by the administrator at said date and time.

We place trust in those we give privileged access to, however we should be able to verify that those responsibilities are not being abused by the individuals themselves or by a compromise affecting that individual's accounts.

 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Invision Community © 2024 IPS, Inc.
×
×
  • Create New...