Assurance

[Benn Oshrin <>]

On 6/21/13 3:01 PM, Joe St Sauver wrote:
> #The Counting Failed Logins working group met yesterday and had a fairly
> #productive conversation.
>
> I know that implicitly this work is motivated by 800-63-2's requirements
> that limit failed authentication attempts to 100 or fewer per 30 day period,

On a technical note, it's motivated by version 1.2 of the InCommon IAPs, 
which refer to 800-63-1 for calculating entropy. We then refer back to 
800-63 1.0.2 to determine how to apply the entropy calculation, since 
that language was removed from later drafts.

800-63-2 introduced that 100/30 day restriction, which is stricter than 
we generally need.

> My concern, however, is that the details of the specified mechanisms don't
> really make sense to me, as defined there.

We're not proposing to use them.

> There's also no discussion of how the failed logins could be "reset" --
> does this imply that a user could potentially be "done" using his or
> her username and password (even with the RIGHT password), for up to a
> *month* after hitting a hundred login failures on the 1st of the month?

In the strawman, the failed login count is reset on successful password 
change. The month window does not apply.

-Benn-