Avoid brute force by locking out after failed attempts

[chillu]

Currently TOTPAuthenticator registers a failed login only when no token is present. If the token is wrong, it throws and redirects. https://github.com/elliot-sawyer/totp-authenticator/blob/master/src/Authenticators/TOTPAuthenticator.php#L46

That's opening up the implementation to brute force. The time window of 30s is irrelevant if you get infinite tries (bound by server capacity).

/cc @Firesphere

[brynwhyman]

Given that this module relies on the bootstrapmfa module, could we look at handling excessive (brute forced) requests in that, and build it so authentication modules like this just consume it?

[robbieaverill]

It looks like we can add this to solve this:

                if ($user_submitted_key !== $key) {
+                   $member->registerFailedLogin();
                    $result->addError(_t(self::class . '.TOTPFAILED', 'TOTP Failed'));
                }

This way the core mechanism for handling lockouts for repeated failed login attempts can be used.

Also need to validate that this works of course. It may need some extra conditions checking for isLockedOut() etc.