[device lock] Delay log in attempts after several failed ones

Bug #1347907 reported by kevin gunn on 2014-07-23
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Ubuntu UX
High
Olga Kemmet
Unity 8
Fix Released
Undecided
Michael Terry
unity8 (Ubuntu)
Undecided
Unassigned

Bug Description

capturing the desire from our security team to add in a delay for the ability to attempt unlocks on the greeter.
unless design provides some other specification choose 5 potential failed attmepts, upon which the greeter will not unlock or allow a password entry attempt for 1 hour.

Related branches

lp:~mterry/unity8/wrong-password-handling
Superseded for merging into lp:unity8
PS Jenkins bot: Needs Fixing (continuous-integration) on 2014-08-14
Michael Zanetti: Approve on 2014-08-13
Michał Sawicz: Abstain on 2014-08-12
David Planella (community): Needs Fixing on 2014-08-06
Albert Astals Cid: Needs Fixing on 2014-08-06
kevin gunn (kgunn72) on 2014-07-23
Changed in unity8:
assignee: nobody → Michael Terry (mterry)
Michael Terry (mterry) wrote :

I've added an ubuntu-ux task, because I'd like guidance for how this is presented to the user.

My thinking from a technical POV is that we can use a PAM module (pam_tally2) to record failed logins. The timing is configurable with it, but the default behavior is to just silently fail. That is, once the user fails to log in, say 5 times, then further logins for, say an hour, will fail (even if the right password is used). Is that how we'd like it work?

But we probably want some message to be shown to the user. Right now we don't show any text at all on incorrect entries. We just jiggle the password box.

Michael Terry (mterry) wrote :

Oh and one security facet of pam_tally2 is that because we're not using the split greeter, we'd have to store the tally record in the user's home directory. I don't think this is a security risk, since if you have access to the home directory, you don't need to bother with being locked out. And the system is inherently single-user as long as we don't have a split greeter. So no worries there. Just pointing it out.

kevin gunn (kgunn72) on 2014-07-29
tags: added: rtm14
Michael Terry (mterry) wrote :

Per design:
https://docs.google.com/a/canonical.com/document/d/1VajNkWbBH61iVixXJAmOvNGiG__GWQTMXGNOZijXWJw/edit#heading=h.6zhf6wqejmh6
(search for "passcode incorrect")

They want us to factory-reset the phone after 10 failed entries. While this isn't a delay, it solves the same security problem of trying to brute force the password.

summary: - create a delay for password failure attempts
+ Factory-reset the phone after enough failure attempts

OK, after talking to design and security, we're going to use delays by default. Marc suggested a 5 minute wait after 5 failed attempts. So I'll start with that.

Design would still like to add the ability to wipe after some failures as an opt-in option. See bug 1350449 for that. I'll revert the bug title here.

summary: - Factory-reset the phone after enough failure attempts
+ Delay log in attempts after several failed ones
Michael Terry (mterry) on 2014-08-01
Changed in unity8:
status: New → In Progress

unity8 (8.00+14.10.20140814.1-0ubuntu1) utopic; urgency=low

  [ Michael Terry ]
  * Add --lightdm= argument to ./run.sh that lets developers choose
    which lightdm backend to use. Stop letting a user that is
    immediately denied via PAM into the shell by fixing some assumptions
    that a user which was not prompted was successfully authenticated.
    This is not a common situation, you'd have to manually change your
    PAM config. Fix a small console warning .
  * Make wrong-password handling much nicer by showing a pretty spinner
    while we wait for PAM, by improving the prompt text to match
    designs, by forcing the user to wait five seconds after every five
    failed attemps, and by supporting (but not yet enabling) an opt-in
    "factory-reset your phone after X failed attemps" feature.

  [ Michael Zanetti ]
  * bring back network caching in dash (LP: #1355729)

  [ Michał Sawicz ]
  * Add --lightdm= argument to ./run.sh that lets developers choose
    which lightdm backend to use. Stop letting a user that is
    immediately denied via PAM into the shell by fixing some assumptions
    that a user which was not prompted was successfully authenticated.
    This is not a common situation, you'd have to manually change your
    PAM config. Fix a small console warning .
  * Fix anchor in PreviewListView.qml.
  * Make wrong-password handling much nicer by showing a pretty spinner
    while we wait for PAM, by improving the prompt text to match
    designs, by forcing the user to wait five seconds after every five
    failed attemps, and by supporting (but not yet enabling) an opt-in
    "factory-reset your phone after X failed attemps" feature.
  * Add new horizontal list category layout. (LP: #1352226)
  * Fix qml tests - loader around PageHeader, more retries for selecting
    a scope and undefined attributes in mock overview scope.

  [ Leo Arias ]
  * Added autopilot helpers and tests for the launcher and dash icon.
  * Added an autopilot helper to click a scope item.
  * Added an autopilot test for focusing an app clicking the icon on the
    launcher.

  [ Mirco Müller ]
  * Allow ENTER/RETURN in a TextField to accept a snap-decision
    notification. (LP: #1305885)
 -- Ubuntu daily release <email address hidden> Thu, 14 Aug 2014 01:29:55 +0000

Changed in unity8 (Ubuntu):
status: New → Fix Released
Changed in unity8:
status: In Progress → Fix Released
Changed in ubuntu-ux:
assignee: nobody → Olga Kemmet (olga-kemmet)
importance: Undecided → High
status: New → Fix Committed
summary: - Delay log in attempts after several failed ones
+ [device lock] Delay log in attempts after several failed ones
Changed in ubuntu-ux:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers