MFA gauth brute force

[Matthew Gordon]

Hello,

How could I prevent brute force of the scratch codes for MFA gauth?

Basically you can sit there rolling through the MFA codes until one hits a scratch code, without things failing. Is there some way to cap failed MFA logins, or integrate it with throttling?

I tried building cas with Throttling as well (https://apereo.github.io/cas/development/authentication/Configuring-Authentication-Throttling.html), hoping that would work for MFA, but it just adds an entry per failed MFA token, which is a good way to trigger a denial of service, possibly filling up, whatever storage you use.

Thank you,

Matt

[Nordy Di Marzio]

Hello,

I am facing the same challenge trying to prevent such problem(brute force on scratch codes)

Have you found any solution or alternative to cover the issue ?

Thank for your help.

Nordy

[Matthew Gordon]

Hi Nordy,

Throttling does work - https://apereo.github.io/cas/development/authentication/Configuring-Authentication-Throttling-Failure.html

Thank you,

Matt

[Y G]

Hello, 

Doesn't this setting solves that problem?

cas.authn.mfa.gauth.core.maximum-authentication-attempts=0

Maximum number of authentication attempts allowed for a token validation attempt. If the number of attempts exceeds this value, authentication will halt. A negative or zero value (default) means no limits are enforced. Note that the user account is not locked out by default; only the CAS authentication flow is halted and user is notified and required to restart the authentication process again.

https://apereo.github.io/cas/development/mfa/GoogleAuthenticator-Authentication.html

24 Ekim 2025 Cuma tarihinde saat 18:15:23 UTC+3 itibarıyla Matthew Gordon şunları yazdı: