From c724c00667ed263e6f96c47bf3182b6ca0cb072f Mon Sep 17 00:00:00 2001 From: Thomas Lamprecht Date: Mon, 26 Jun 2023 20:07:39 +0200 Subject: [PATCH] docs: user-management: add section for TFA lockouts adapted from pve-docs' commit 96a0d13 ("user management: document TFA lockout") Signed-off-by: Thomas Lamprecht --- docs/user-management.rst | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/docs/user-management.rst b/docs/user-management.rst index 8d3c6f92..5a1c523e 100644 --- a/docs/user-management.rst +++ b/docs/user-management.rst @@ -563,6 +563,32 @@ use :ref:`API Tokens ` for all other use cases, especially non-interactive ones (for example, adding a Proxmox Backup Server to Proxmox VE as a storage). +.. _user_tfa_lockout: + +Limits and Lockout of Two-Factor Authentication +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +A second factor is meant to protect users if their password is somehow leaked +or guessed. However, some factors could still be broken by brute force. For +this reason, users will be locked out after too many failed 2nd factor login +attempts. + +For TOTP, 8 failed attempts will disable the user's TOTP factors. They are +unlocked when logging in with a recovery key. If TOTP was the only available +factor, admin intervention is required, and it is highly recommended to require +the user to change their password immediately. + +Since FIDO2/Webauthn and recovery keys are less susceptible to brute force +attacks, the limit there is higher (100 tries), but all second factors are +blocked for an hour when exceeded. + +An admin can unlock a user's Two-Factor Authentication at any time via the user +list view in the web UI, or using the command line: + +.. code-block:: console + + proxmox-backup-manager user tfa unlock joe@pve + Authentication Realms ---------------------