Limit OTP guesses to 3 in all contexts#1654
Merged
Conversation
monfresh
force-pushed
the
mb-max-otp-attempts
branch
from
65e5d26 to
4150054
Compare
**Why**: Previously, we allowed unlimited OTP guesses when confirming a phone number because we didn't think this posed any security risks. In hindsight this was a poor decision since it can portray our app as being insecure and affects our reputation and confidence in the system. We should be defaulting to safe everywhere. **How**: Remove any conditional logic that determines whether or not guesses should be limited. Everyone will now be limited to 3 OTP guesses regardless of context.
Contributor
|
Should we add a feature spec that checks for being locked out during signup? |
Contributor
Author
|
That spec is in this PR already. The filename of the spec is misleading. I can move it to a new properly-named spec if you prefer. |
Contributor
|
Nope, I wasn't looking in the right place. It works! 👍 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why: Previously, we allowed unlimited OTP guesses when confirming
a phone number because we didn't think this posed any security risks.
In hindsight this was a poor decision since it can portray our app as
being insecure and affects our reputation and confidence in the system.
We should be defaulting to safe everywhere.
How: Remove any conditional logic that determines whether or not
guesses should be limited. Everyone will now be limited to 3 OTP guesses
regardless of context.