System should block the login option for defined period of time, when user enter wrong local device PIN more than 3 attempts

In order to reduce the chance for brute forcing the local device PIN, system should lock temporary the login option after 3 wrong attempts.

Acceptance criteria

• when user enter more than 3 times wrong device PIN, then the system lock down the login option for 5 minutes
• when login option is locked, then the system shows in login popup message with reverse counter showing how much time is left until the user is able make the next login attempt.

Message : "3 incorrect attempts. Try again in xx:xx"

• when user enter more that 9 time wrong PIN, then system revoke the account for the device

changed milestone to %v0.6

changed the description

added ReadyForDev label and removed InPreparation label

changed the description

unassigned @kalin.canov

assigned to @olgun.cengiz

added backend label

created branch 14-system-should-block-the-login-option-for-defined-period-of-time-when-user-enter-wrong-local-device-pin-more-than-3-attempts

To work on this ticket, I cloned "vcl" repo and "dashboard" repo.

To run dashboard locally:

• Run all VIAM agents (data-storage-agent, entities-management-agent, ... , restful-api)

• Run vcl

  • make dev

• Run dashboard

  • HTTPS=false yarn start

• Go to http://localhost:3000/

• Found the function in the vcl code to insert 3 failed attempts logic:

  • decryptMessage in viamapi-iframe.js

• Countdown Timer

  • https://jsfiddle.net/ck0aeuLp/
  • https://codepen.io/anon/pen/XOjLVY

added DevInProgress label and removed ReadyForDev label

Implemented countdown timer mechanism to viamapi-iframe.js but it has a down-side: If user closes active browser (where timer is running), the timer will pause forever.

Will use TimeStamp+5minutes approach.

Implemented blocking design for pincode.

• Below: First failed attempt (nothing different from old design)

• Below: After 3 failed attempts (warning message is changed)

After 9 failed attempts, it is requiered to revoke the account for the device. @gospodin.bodurov should I use destroyIdentityFromLocalStorage() or another method for this operation?

Also, I use below script to get current time:

function getCurrentTime() {
  return Math.floor(new Date().getTime() / 1000);
}

but it can be altered if the end user changes operating system's clock. Should we use a "get server time" method as described here? https://stackoverflow.com/questions/20269657/right-way-to-get-web-server-time-and-display-it-on-web-pages

@olgun.cengiz what happens if you restart the tab? Will you store the counter somewhere?

@gospodin.bodurov If you close the current tab and open a new one, the blockage is still valid. Because I set blockFinishTime (which is getTime() + 5 minutes) in localStorage. If block starts at 13:00, I set 13:05 in localStorage and till that time, the same browser can’t be used. There might be a drawback though, if the user changes OS time outside the browser, it might lift the blockage. For this, we can think of a ajax call to a server to get time more accurately. Or we can leave it as is.

@gospodin.bodurov what about revoking identity? Which function should I use?

DestroyKeys, but you can ask @alexey.lunin for more information.

@olgun.cengiz If we logged in dashboard then we can use lib.identityDestroyKeysForDevice(publicKey).

This method requires authentication on the server. Otherwise, we get {"status":"No authentication values","code":"400","data":{}}

And after that we need to clear identity from localstorage lib.clearIdentities();

So, from Pin code view we can only clear the localStorage with lib.clearIdentities();

@alexey.lunin Thanks, I will try clearIdentities() then.

• Implemented clearIdentities() after 9 failed attempts
• Committed changes to branch 14-system-should-block-the-login-option-for-defined-period-of-time-when-user-enter-wrong-local-device-pin-more-than-3-attempts
• Deployed branch on https://olguncengiz.dev.vereign.com
• Tested on RoundCube plugin
  • Works on RoundCube plugin, too
  • But needs fixing on message displays

Ready for QA on https://olguncengiz.dev.vereign.com (for dashboard) and https://vereign.cucumbermail.net (for RoundCube plugin using VIAM API library at https://olguncengiz.dev.vereign.com/vcl/js/client)

added ReadyForQA label and removed DevInProgress label

assigned to @rosen.georgiev and unassigned @olgun.cengiz

created branch 14-system-should-block-the-login-option-for-defined-period-of-time-when-user-enter-wrong-local-device-pin-more-than-3-attempts-2

mentioned in merge request !16 (closed)

mentioned in merge request !17 (merged)

assigned to @olgun.cengiz and unassigned @rosen.georgiev

assigned to @rosen.georgiev and unassigned @olgun.cengiz

added InTesting label and removed ReadyForQA label

• - 9 wrong attempts show error error only once upon blocking: "Can not load entity:9 failed attempts. Identity is revoked!" Please remove the Can not load entity: part

• - After the 9 attempts if you try for 10th the error shown is just : Can not load identity Please change to Please restore or authorize your account via another device.

• - On the issue its mentioned the error should be 3 incorrect attempts. Try again in xx:xx , but its: Can not load identity: 3 incorrect attempts. Try again in xx:xx . Please remove the Can not load identity: part.

• - When the pin code entering is blocked for 5 mins the error shown is : Can not load entity:Your identity has been locked. Try again in 4 minutes and 55 seconds. Please remove the Can not load entity: part

Done. You can check again on https://olguncengiz.dev.vereign.com

NOTE: You can check for other conditions where identity can not be loaded to see if error messages are still OK or not.

• - 9 wrong attempts show error error only once upon blocking: "Can not load entity:9 failed attempts. Identity is revoked!" Please remove the Can not load entity: part
• - After the 9 attempts if you try for 10th the error shown is just : Can not load identity Please change to Please restore or authorize your account via another device.
• - On the issue its mentioned the error should be 3 incorrect attempts. Try again in xx:xx , but its: Can not load identity: 3 incorrect attempts. Try again in xx:xx . Please remove the Can not load identity: part.
• - When the pin code entering is blocked for 5 mins the error shown is : Can not load entity:Your identity has been locked. Try again in 4 minutes and 55 seconds. Please remove the Can not load entity: part

Retested its fixed.

added ReadyForMergeInMaster testedByQA labels and removed InTesting label

closed via merge request !17 (merged)

mentioned in commit 233e5eba