The login.index endpoint should detect whether the current session is coming from a Hackspace IP address. If so then it should present keyfob login as an alternative to email login. The keyfob option should have a global rate limiter that is incremented on a failed login attempt.
The global rate limiter is there to protect against brute-force enumeration attacks of the relatively insecure keyfob based login. If too many incorrect attempts happen then the keyfob login shall be locked out. The rate limit should be latching and require an admin to manually reset it. The limit values should be chosen such that a member who accidentally scans the incorrect card a few times doesn't trigger the system, but a persistent attack does.
If this rate limiter does get triggered accidentally by a member then we should prompt them to leave a note by the PC so we know it was an accidental trigger and not malicious.
The
login.indexendpoint should detect whether the current session is coming from a Hackspace IP address. If so then it should present keyfob login as an alternative to email login. The keyfob option should have a global rate limiter that is incremented on a failed login attempt.The global rate limiter is there to protect against brute-force enumeration attacks of the relatively insecure keyfob based login. If too many incorrect attempts happen then the keyfob login shall be locked out. The rate limit should be latching and require an admin to manually reset it. The limit values should be chosen such that a member who accidentally scans the incorrect card a few times doesn't trigger the system, but a persistent attack does.
If this rate limiter does get triggered accidentally by a member then we should prompt them to leave a note by the PC so we know it was an accidental trigger and not malicious.