Under review

2FA: question and suggestion

1 year ago • updated by 2 months ago • 2

Hello,

I have introduced 2FA invalid code 6 times and it looks the account is never blocked. So it would be nice "Maximum login attempts" applied to code too for avoiding brute force attacks.

Most of times I connect from same LAN or VPN, I would like 2FA could config for all connections (like now) or for public IPs only. This would be very simple, however with ioncube I can do it.

Thanks.

Vote

Replies 2
Oldest first
- Newest first
- Oldest first

Under review

1 year ago

It does apply. However, the superuser account has by default a considerably higher number of attempts, regardless of the configured limit. I think it's about 20, so it would be pretty hard to brute force with just that.

I do like the idea of a setting for allowing local IPs without 2FA.

Reply
- Is it?
- Inappropriate
- Spam
- Duplicate
|

2 months ago

I like the idea of no 2fa if from local IP's or a bank of public IP's.

Reply
- Is it?
- Inappropriate
- Spam
- Duplicate
|

Customer support service by UserEcho