Locking user account after multiple login try

[Neeraj Kumar]

Hi

We have one requirement from security perspective to lock a user account(username/password) if there is more than 5 unsuccessful trial. 

Is it possible to do in firebase?

Cheers

Neeraj

[Frank van Puffelen]

While Firebase's email+password authentication has some rate limits in place, you have no control over these.

But since it's your app that calls authWithPassword(), you have quite some control over what happens. You could for example write a record whenever the user attempts to log in and then disable the login functionality when they over the threshold. You could (and should) also implement some lock-out mechanism in the security rules of your Firebase backend, so that those users also can't access the data if they authenticate with some other means. Kato wrote about this a while ago on StackOverflow: http://stackoverflow.com/questions/24830079/firebase-rate-limiting-in-security-rules

So: no, you cannot tell Firebase authentication to lock an account. But you can implement the use-case in your own application and in security rules.

     Frank

[Justin Noel]

Frank,

It seems to me that using the app to regulate this "lock" is really not an effective security measure.  

If the requirement is "5 failed attempts" and you're locked out, then yes - using the app to write to some other table will work on the surface.

However, if a malicious person isn't using the app and is instead just scripting or even using the console to attempt logins, then they will never write to this "lock" table.  So, they will never get locked out.

I don't have the same security requirement as the OP.  However, I can certainly see this as valuable under certain circumstances.  This would fall in nicely as a feature along with Firebase's existing plans to give control of the authentication tables to the account owner.

Thanks,

Justin

[Frank van Puffelen]

Hey Justin,

Thanks for your feedback. I think we all agree that it would be great if Firebase Authentication provided more control over password complexity and validation requirements. Even exposing more details about the authentication history of the user would go a long way to enabling this scenario.

But at the moment developers can do quite a bit already to make abuse from within the app less likely, which is all I wanted to point out beyond a "no, you cannot set the maximum rate of auth attempts". If the in-app approach is not good enough, there is always the option of handling authentication elsewhere (a custom server or 3rd party authentication service) and minting Firebase JWTs there.

    Frank