[device lock] Delay log in attempts after several failed ones

I've added an ubuntu-ux task, because I'd like guidance for how this is presented to the user.

My thinking from a technical POV is that we can use a PAM module (pam_tally2) to record failed logins. The timing is configurable with it, but the default behavior is to just silently fail. That is, once the user fails to log in, say 5 times, then further logins for, say an hour, will fail (even if the right password is used). Is that how we'd like it work?

But we probably want some message to be shown to the user. Right now we don't show any text at all on incorrect entries. We just jiggle the password box.

Oh and one security facet of pam_tally2 is that because we're not using the split greeter, we'd have to store the tally record in the user's home directory. I don't think this is a security risk, since if you have access to the home directory, you don't need to bother with being locked out. And the system is inherently single-user as long as we don't have a split greeter. So no worries there. Just pointing it out.

Per design:
https://docs.google.com/a/canonical.com/document/d/1VajNkWbBH61iVixXJAmOvNGiG__GWQTMXGNOZijXWJw/edit#heading=h.6zhf6wqejmh6
(search for "passcode incorrect")

They want us to factory-reset the phone after 10 failed entries. While this isn't a delay, it solves the same security problem of trying to brute force the password.

OK, after talking to design and security, we're going to use delays by default. Marc suggested a 5 minute wait after 5 failed attempts. So I'll start with that.

Design would still like to add the ability to wipe after some failures as an opt-in option. See bug 1350449 for that. I'll revert the bug title here.

unity8 (8.00+14.10.20140814.1-0ubuntu1) utopic; urgency=low

  [ Michael Terry ]
  * Add --lightdm= argument to ./run.sh that lets developers choose
    which lightdm backend to use. Stop letting a user that is
    immediately denied via PAM into the shell by fixing some assumptions
    that a user which was not prompted was successfully authenticated.
    This is not a common situation, you'd have to manually change your
    PAM config. Fix a small console warning .
  * Make wrong-password handling much nicer by showing a pretty spinner
    while we wait for PAM, by improving the prompt text to match
    designs, by forcing the user to wait five seconds after every five
    failed attemps, and by supporting (but not yet enabling) an opt-in
    "factory-reset your phone after X failed attemps" feature.

  [ Michael Zanetti ]
  * bring back network caching in dash (LP: #1355729)

  [ Michał Sawicz ]
  * Add --lightdm= argument to ./run.sh that lets developers choose
    which lightdm backend to use. Stop letting a user that is
    immediately denied via PAM into the shell by fixing some assumptions
    that a user which was not prompted was successfully authenticated.
    This is not a common situation, you'd have to manually change your
    PAM config. Fix a small console warning .
  * Fix anchor in PreviewListView.qml.
  * Make wrong-password handling much nicer by showing a pretty spinner
    while we wait for PAM, by improving the prompt text to match
    designs, by forcing the user to wait five seconds after every five
    failed attemps, and by supporting (but not yet enabling) an opt-in
    "factory-reset your phone after X failed attemps" feature.
  * Add new horizontal list category layout. (LP: #1352226)
  * Fix qml tests - loader around PageHeader, more retries for selecting
    a scope and undefined attributes in mock overview scope.

  [ Leo Arias ]
  * Added autopilot helpers and tests for the launcher and dash icon.
  * Added an autopilot helper to click a scope item.
  * Added an autopilot test for focusing an app clicking the icon on the
    launcher.

  [ Mirco Müller ]
  * Allow ENTER/RETURN in a TextField to accept a snap-decision
    notification. (LP: #1305885)
 -- Ubuntu daily release <email address hidden> Thu, 14 Aug 2014 01:29:55 +0000