From e253a7876e4f7f35d38cef4b2433495c1e04ff39 Mon Sep 17 00:00:00 2001 From: Thomas Lamprecht Date: Wed, 7 Jun 2023 17:45:52 +0200 Subject: [PATCH] user management: small follow-up rewording/nits for TFA locks Signed-off-by: Thomas Lamprecht --- pveum.adoc | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/pveum.adoc b/pveum.adoc index 707e87d..a24598d 100644 --- a/pveum.adoc +++ b/pveum.adoc @@ -580,7 +580,7 @@ https://www.yubico.com/products/services-software/yubicloud/[YubiCloud] or https://developers.yubico.com/Software_Projects/Yubico_OTP/YubiCloud_Validation_Servers/[host your own verification server]. [[pveum_tfa_lockout]] -Limits and lockout of Two-Factor Authentication +Limits and Lockout of Two-Factor Authentication ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ A second factor is meant to protect users if their password is somehow leaked @@ -588,14 +588,14 @@ or guessed. However, some factors could still be broken by brute force. For this reason, users will be locked out after too many failed 2nd factor login attempts. -For TOTP 8 failed attempts will disable the user's TOTP factors. They are +For TOTP, 8 failed attempts will disable the user's TOTP factors. They are unlocked when logging in with a recovery key. If TOTP was the only available factor, admin intervention is required, and it is highly recommended to require the user to change their password immediately. Since FIDO2/Webauthn and recovery keys are less susceptible to brute force -attacks, the limit there is higher, but block all second factors for an hour -when exceeded. +attacks, the limit there is higher (100 tries), but all second factors are +blocked for an hour when exceeded. An admin can unlock a user's Two-Factor Authentication at any time via the user list in the UI or the command line: