Version 5 supported

Security

Login attempts

The MFA module makes use of the framework's LoginAttempt API to ensure that a user can only attempt to register or verify a MFA method a certain number of times. Since it re-uses the core API, it also shares the maximum number of attempts with login attempts themselves.

For example: if the maximum number of login attempts (Member.lock_out_after_incorrect_logins) is 5, and a user incorrectly enters their password twice, correctly enters it once, then incorrectly enters a TOTP code three times, they will be registered as locked out for a specified period of time (Member.lock_out_delay_mins). In this case, the user will be shown a message when trying to verify their TOTP code similar to "Your account is temporarily locked. Please try again later."

For more information on this, see Secure Coding.

Related links