Show all accounts with log in attempts fail?

[Ocean West]

I've had a few accounts locked yesterday : 

Account locked from logging in using this IP address until 03/11/2021 09:56 PM following 3 unsuccessful login attempts.

Four of them are Moderators - the IP address is 178.239.198.133 and 185.217.117.75

When i go to the Members -> Locked there is nothing in the list. 

[Ocean West]

Turns out majority of these locked accounts are part of groups that have moderator privileges?!?!?!?

[Morrigan]

Sounds like someone is trying to hack an account. Make sure all of your moderators have 2FA enabled.

[Ocean West]

Some are old school they don't have a smart phone.

 

[Morrigan]

5 minutes ago, Ocean West said:

Some are old school they don't have a smart phone.

 

2FA also has question/answer challenges.

[Matt]

Do you use Username/Password log in? If so, I'd recommend switching to email/password as this will be harder to brute force.

[Ocean West]

@Matt I see i have the legacy Display Name or Email Address - if i change it what happens to people who have a defunct email account? 

 

Also how do i see all locked accounts or failed login attempts to see if there are additional IP addresses? 

 

[Morrigan]

I actually don't think you can.

 

Edited March 12, 2021 by Morrigan

[CoffeeCake]

1 hour ago, Ocean West said:

Some are old school they don't have a smart phone.

Ahh! This is what the Authy question is about. You'd want the text/call option then that Authy provides. My guess is that your moderators aren't going to be as huge a cost as rolling this out to your general membership.

[Ocean West]

2 hours ago, Morrigan said:

2FA also has question/answer challenges.

Thanks 🙏 - i totally missed this option now enabled it and have added added a bunch of questions..

[CoffeeCake]

4 minutes ago, Ocean West said:

Thanks 🙏 - i totally missed this option now enabled it and have added added a bunch of questions..

The not wonderful thing about this option is that these answers are viewable in ACP with no auditing of who is viewing them. This is terrible from a security perspective.

Be careful who has access to view and edit two-factor authentication in member profiles in ACP. I'd recommend turning this off for all administrator groups including your own.

[Ocean West]

Yea that is odd I would expect these to be one way encrypted just like the password is. 

It seems would also need to be a second set of admin questions if user needs to verify themselves to an admin. 🤷‍♂️

[CoffeeCake]

3 minutes ago, Ocean West said:

Yea that is odd I would expect these to be one way encrypted just like the password is. 

I can see a use case for some organizations where this exchange may happen over the phone and that the answers (depending on the questions) may be such where visual inspection of the provided answers could be a part of what happens for identity validation.

That said though, I think it's important that accessing those answers be considered a heightened privilege event. The option should exist to require the administrator to reauthenticate along with their own 2FA if configured as such, and should record an audit trail that the information was accessed by the administrator at said date and time.

We place trust in those we give privileged access to, however we should be able to verify that those responsibilities are not being abused by the individuals themselves or by a compromise affecting that individual's accounts.

[Morrigan]