Thank you Juliet,
Follow up on your comment, a pop-up screen requesting for reference code normally appears when an attempt to resume/load data from a saved transaction.
If an attempt to resume/load a non existing data is made, the pop-up would...
Thank you Juliet,
Follow up on your comment, a pop-up screen requesting for reference code normally appears when an attempt to resume/load data from a saved transaction.
If an attempt to resume/load a non existing data is made, the pop-up would clear it's field & continue to stay on for another reference code to be entered until it's right or user decides to cancel.
Just sharing, the following conditions & properties are at play in dev environment.
Scenario 1:
a. Disable security questions - Save Confirm & Save Challenge (Not in use)
b. Max Save Challenge Requests = 5
c. Save Challenge Lockout Minutes = 15
- It's form resume process is vulnerable to brute force attack, because pop-up continues to allow attackers to keep trying
with no limit counter to stop it.
- Getting reference code wrong in this scenario will not trigger the lockouts & the
property "Save Challenge Failures" (Found in a Transaction's --> Transaction Details Tab in Avoka Transact Manager)
does not increment even when reference code is invalid, hence the unlimited attempts to resume the form.
Scenario 2: (An attempt to get "Save Challenge Failure" counter to increment)
a. Disable security questions - Save Confirm has security question where its "Form Data Config Mapping" set to Save Challenge.
Security question field is active however, it's never used by having it's visibility set to false.
b. Max Save Challenge Requests = 5
c. Save Challange Lockout Minutes = 15
- Enabling & then hiding the security question enables "Save Challenge Failures" to come into play.
However, instead of incrementing the counter when an invalid reference code is used,
it increments the counter when a valid reference code is provided & loads/resumes form successfully.
- This leads to a scenario where, user could resume successfully up to 5 times before the form locks for 15 minutes & release again.
So the counter works but it still isn't limiting brute force attempts with random reference code because the counter doesn't increment.
Similar to described in Scenario 1 above.
Background:
Is there a way to temporary disable attempts to resume a form with reference code after reaching maximum failed attempts?
The implementation is intended without using a Save Challenge / Security questions.
Eg.
User attempts form resume...
Background:
Is there a way to temporary disable attempts to resume a form with reference code after reaching maximum failed attempts?
The implementation is intended without using a Save Challenge / Security questions.
Eg.
User attempts form resume (Using reference code) --> Lock form resume for 15 mins (If failed 5 attempts limit) --> Re-open enable form resume(After 15 mins)
Journey Maestro version: 20.05.2
Register to ask a question and access to more content.