On 13.5.2016 15:25, Thomas Heil wrote: > Hi, > > I would like to reduce the vector of brute force attacks in my web > application written in php. Users can login via passord and otp which > are hosted on freeipa. > > To achieve this I would like to check the otp first, so no password auth > is done on the freeipa server and no user can be locked out. > > If the otp is correct, the user is now allowed to to login via password+otp. > > unfortunately, there is no api method that can check only the otp for a > user with an identity. > > Would it be possible to expose such a new method?
This would open a new attack vector so it is a bad idea. Attacker must not be able to distinguish case where password OR OTP is correct/wrong. If you allow this, the attacker will be able to crack OTP first and then continue with password, so you are making it easier. Do not do that :-) -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
