
0
Under review
2FA: question and suggestion
Hello,
I have introduced 2FA invalid code 6 times and it looks the account is never blocked. So it would be nice "Maximum login attempts" applied to code too for avoiding brute force attacks.
Most of times I connect from same LAN or VPN, I would like 2FA could config for all connections (like now) or for public IPs only. This would be very simple, however with ioncube I can do it.
Thanks.
Customer support service by UserEcho
It does apply. However, the superuser account has by default a considerably higher number of attempts, regardless of the configured limit. I think it's about 20, so it would be pretty hard to brute force with just that.
I do like the idea of a setting for allowing local IPs without 2FA.
I like the idea of no 2fa if from local IP's or a bank of public IP's.