Brute Force Protection

Edit this page

Brute Force Protection

Brute force protection is essential for two-factor authentication, because otherwise the authentication code could just be guessed by an attacker. The bundle doesn't come with a predefined anti brute force solution, but you can easily implement one by listening to the events provided by the bundle.

1) Log failed two-factor attempts

Register a listener for the scheb_two_factor.authentication.failure event. Log whatever you need (IP, user, etc.) to detect brute force attacks.

2) Block authentication

Register a listener for the scheb_two_factor.authentication.attempt event. Execute your brute-force detection logic and decide if the attempt should be blocked. Since that event is dispatched directly before the two-factor code is checked, you can prevent that from happening by throwing a new exception of type Symfony\Component\Security\Core\Exception\AuthenticationException. That exception will be caught by the authentication layer and the exception message is shown to the user.

This work, including the code samples, is licensed under a Creative Commons BY-SA 3.0 license.