Assurance

[Eric Goodman <>]

I like your proposal.

I hadn't realized 800-63-1 changed the requirements and their arguments 
against simple counters are interesting. I think you address the first and 
the last very well, I had some additional thoughts on the second one:

"The approach is a single point of failure."

In addition to the points you make countering this statement:

* If the failure is a failure to send current statistics to the central 
"counter", as long as the problem doesn't persist for more than 72 hours and 
you can resync the counts before the 72 hour timeframe is up, you wouldn't 
need to stop asserting the IAQ.

* You can still implement rate-limiters at the individual authenticators 
(i.e., limited login attempts/unit time). At the end of any such outage, if 
stats from the outage period were unavailable, you could simply increment all 
of your users' counters by the maximum possible attempt rate * duration of 
the outage.

I can envision other attacks that would allow someone to bypass a central 
counter (e.g., compromising the count database, modifying the authenticator 
logs before they are written out), but those kinds of attacks are probably so 
intrusive that brute force limit being exceeded is the least of your worries. 

--- Eric

-----Original Message-----
From: 

 
[mailto:]
 On Behalf Of Benn Oshrin
Sent: Friday, May 31, 2013 2:52 PM
To: 

Subject: [Assurance] Failed Authentication Counter Strawman

As mentioned on a couple of previous calls, I've been interested in a 
solution for counting failed authentication attempts. I've drafted a 
strawman, available for review at

  https://spaces.internet2.edu/x/kAtOAg

I'd be interested in comments and feedback, and assuming no fatal flaw, I'd 
also be interested if anyone else is considering a similar approach.

Thanks,

-Benn-