0
Under review

2FA: question and suggestion

narcotico 1 month ago updated by Vlad R 1 month ago 1

Hello,

I have introduced 2FA invalid code 6 times and it looks the account is never blocked. So it would be nice "Maximum login attempts" applied to code too for avoiding brute force attacks.

Most of times I connect from same LAN or VPN, I would like 2FA could config for all connections (like now) or for public IPs only. This would be very simple, however with ioncube I can do it.

Thanks.

Under review

It does apply. However, the superuser account has by default a considerably higher number of attempts, regardless of the configured limit. I think it's about 20, so it would be pretty hard to brute force with just that.

I do like the idea of a setting for allowing local IPs without 2FA.