I have an ASP.NET MVC 5 application that uses ASP.NET Identity 2.0 to authenticate users.
Currently, users are forced to enter captcha every time they try to log in, but this causes a lot of complaints about the complexity of authentication.
The main goal is to make the person accessible as simple as possible, and for the robot as complex as possible.
I decided to show captcha after a certain number of failed login attempts. There are many already asked questions about this, but I did not find answers that will help me build a fairly complete solution. I found a question about tracking failed attempts, but also uses locking, which I don't want. And in accordance with this, the response part of the required functionality is available in the old ASP.NET membership provider and is not available (yet?) In Identity ASP.NET.
So, I got the following simplified algorithm:
- If the login and password pair are correct, log in.
- If the username or password is incorrect, record the failed login attempt.
- If you registered three failed login attempts for the user, then display the login page using captcha.
- If the captcha entered is valid, then count the number of failed login attempts, then go to 1.
- If the captcha you entered is not valid, then display the login page again using captcha.
The question arises: how can I select incoming requests as a request for a specific input?
I cannot rely on cookies, sessions, IP addresses, etc., because any robot can change them. And I canβt rely on the login, because the login may not exist completely. The obvious approach is to create a separate table in which the login, the number of failed attempts and the timestamp will be stored, but the robot can easily fill it with fake inputs, although I can get around this by deleting the old entries in the scheduled task.
Is this really a solution? Is there a better way to do this?
security asp.net-mvc captcha asp.net-identity-2
sigurd
source share