Under review

2FA: question and suggestion

narcotico 1 year ago updated by Shawn L 2 months ago 2


I have introduced 2FA invalid code 6 times and it looks the account is never blocked. So it would be nice "Maximum login attempts" applied to code too for avoiding brute force attacks.

Most of times I connect from same LAN or VPN, I would like 2FA could config for all connections (like now) or for public IPs only. This would be very simple, however with ioncube I can do it.


Under review

It does apply. However, the superuser account has by default a considerably higher number of attempts, regardless of the configured limit. I think it's about 20, so it would be pretty hard to brute force with just that.

I do like the idea of a setting for allowing local IPs without 2FA.

I like the idea of no 2fa if from local IP's or a bank of public IP's.