Fixed Failed Passkey logins do not trigger login limit

K

Kirby

Well-known member
Affected version
2.3.7
If a client has more than 4 failed login attempts with username / email and password within 15 minutes the user account will be limited according to option loginLimit:

1764688170949.webp

This option is not applied though if Passkey logins are performed.

While Passkeys are a lot less vulnerable for brute force attacks, it might still be useful to apply a limit.

Suggested Fix
Also apply the configured limit method for Passkey logins (Preferred)
or
Modify the wording to make it more clear that this does not affect Passkey logins
 
Thank you for reporting this issue, it has now been resolved. We are aiming to include any changes that have been made in a future XF release (2.3.8).

Change log:
Ensure failed passkey logins count towards failed login attempts limit (#1207)
Click to expand...
There may be a delay before changes are rolled out to the XenForo Community.
 

Similar threads

T
  • Question Question
XF 2.2 Login limit method (User fails to log in 4 times in a 15 minute)
Replies
3
Views
370
topkurs2
T
Back
Top Bottom