This?
I made a couple of test logins with wrong credentials. As a result it seems that the account got locked. This process does not seem to be well thought:
- There is no description for the valid account holder how to unlock the account. Waiting is not a good approach for the true account holder.
- It seems that I would be able to lock any account if I know the email address of the account holder. Simply by doing some false login attempts.
- I was able to do many login attempts in a row
- I did not receive a warning, thinking of it, it might be this: 2 different errors on US2
Maybe the errorUnexpected toke T in JSON at position 0
should have been the warning or the lockout message? I don’t know.
My suggestions would be:
- Impose an increasing waiting time between wrong logins
- Have a process in place for the valid account holder to unlock his account
- Display the description to unlock / remaining waiting time
- Don’t allow an adversary to impose a lock onto an account just because he knows the email address of a user
There is an additional idea that I know from Lastpass and which is very useful. As a Lastpass user I can restrict login to specific IPs/Regions. And - very useful - I can disallow Logins that come from the Tor network. Maybe such an implementation would be interesting to secure Storj accounts further.