How to show captcha after failed login attempts?

I have an ASP.NET MVC 5 application that uses ASP.NET Identity 2.0 to authenticate users.

Currently, users are forced to enter captcha every time they try to log in, but this causes a lot of complaints about the complexity of authentication.

The main goal is to make the person accessible as simple as possible, and for the robot as complex as possible.

I decided to show captcha after a certain number of failed login attempts. There are many already asked questions about this, but I did not find answers that will help me build a fairly complete solution. I found a question about tracking failed attempts, but also uses locking, which I don't want. And in accordance with this, the response part of the required functionality is available in the old ASP.NET membership provider and is not available (yet?) In Identity ASP.NET.

So, I got the following simplified algorithm:

  • If the login and password pair are correct, log in.
  • If the username or password is incorrect, record the failed login attempt.
  • If you registered three failed login attempts for the user, then display the login page using captcha.
  • If the captcha entered is valid, then count the number of failed login attempts, then go to 1.
  • If the captcha you entered is not valid, then display the login page again using captcha.

The question arises: how can I select incoming requests as a request for a specific input?

I cannot rely on cookies, sessions, IP addresses, etc., because any robot can change them. And I can’t rely on the login, because the login may not exist completely. The obvious approach is to create a separate table in which the login, the number of failed attempts and the timestamp will be stored, but the robot can easily fill it with fake inputs, although I can get around this by deleting the old entries in the scheduled task.

Is this really a solution? Is there a better way to do this?

+7
security asp.net-mvc captcha asp.net-identity-2
source share
1 answer

The Identity system has an account for failed logins for each user. You can increase it with await UserManager.AccessFailedAsync(userId) . And the ApplicationUser.AccessFailedCount property stores failed counts for the user record. And reset failed to call await UserManager.ResetAccessFailedCountAsync(userId) call await UserManager.ResetAccessFailedCountAsync(userId)
So it can be used.

However, this does not take into account invalid user names - login attempts when the user does not exist in the database. For this case, you can use the proposed table with regular cleaning records using a cron task.

But if the user tries to log in and puts different usernames at each attempt, this approach will fail. Therefore, I still add cookies there, but I do not rely heavily on it, knowing that it can be easily killed.

Another solution is to use a new reCaptcha on every page. However, this is a new technology and there are reports ; it is not completely reliable.

+4
source share

All Articles