1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Add letters to 2 factor auth

Discussion in 'XenForo Suggestions' started by bebosny, Mar 29, 2016.

  1. bebosny

    bebosny Member

    Hi,

    So currently, if people have 2FA enabled for their email, it will send a 6 random digits to your email.
    I've had a case where someone was able to bruteforce himself into an account with only using an email and password.

    I think a simple change like adding letters could improve 2FA a lot as bruteforcers would have more combinations to go through. They wouldn't be able to do this as the code would expire by the time they even go through a fraction of the possibilities.

    Thanks!
     
  2. Mike

    Mike XenForo Developer Staff Member

    Are you positive he didn't have access to the email for example? If he shared passwords between his email and other sites, that's very likely. (And why we suggest email 2FA is not the ideal option.)

    We have rate limiting with 2FA attempts to prevent this. This is attached per user, not per IP, so trying from multiple IPs doesn't make a difference. Further, with 6 digits and the code only being valid for 15 minutes, you'd need to send 1100 requests per second to properly brute force it. (Though rate limiting prevents that, unless you get very very lucky.)
     
    Jake B. and ozzy47 like this.

Share This Page