I made a couple of test logins with wrong credentials. As a result it seems that the account got locked. This process does not seem to be well thought:
There is no description for the valid account holder how to unlock the account. Waiting is not a good approach for the true account holder.
It seems that I would be able to lock any account if I know the email address of the account holder. Simply by doing some false login attempts.
I was able to do many login attempts in a row
I did not receive a warning, thinking of it, it might be this: 2 different errors on US2
Maybe the error Unexpected toke T in JSON at position 0 should have been the warning or the lockout message? I don’t know.
My suggestions would be:
Impose an increasing waiting time between wrong logins
Have a process in place for the valid account holder to unlock his account
Display the description to unlock / remaining waiting time
Don’t allow an adversary to impose a lock onto an account just because he knows the email address of a user
There is an additional idea that I know from Lastpass and which is very useful. As a Lastpass user I can restrict login to specific IPs/Regions. And - very useful - I can disallow Logins that come from the Tor network. Maybe such an implementation would be interesting to secure Storj accounts further.