Hello, Doesn't this setting solves that problem?
*cas.authn.mfa.gauth.core.maximum-authentication-attempts=0* Maximum number of authentication attempts allowed for a token validation attempt. If the number of attempts exceeds this value, authentication will halt. A negative or zero value (default) means no limits are enforced. Note that the user account is not locked out by default; only the CAS authentication flow is halted and user is notified and required to restart the authentication process again. https://apereo.github.io/cas/development/mfa/GoogleAuthenticator-Authentication.html 24 Ekim 2025 Cuma tarihinde saat 18:15:23 UTC+3 itibarıyla Matthew Gordon şunları yazdı: > Hi Nordy, > > Throttling does work - > https://apereo.github.io/cas/development/authentication/Configuring-Authentication-Throttling-Failure.html > > Thank you, > Matt > > On Friday, July 11, 2025 at 12:46:50 PM UTC-4 Nordy Di Marzio wrote: > >> Hello, >> >> I am facing the same challenge trying to prevent such problem(brute force >> on scratch codes) >> >> Have you found any solution or alternative to cover the issue ? >> >> Thank for your help. >> Nordy >> >> Le dimanche 25 décembre 2022 à 04:51:26 UTC+1, Matthew Gordon a écrit : >> >>> Hello, >>> >>> How could I prevent brute force of the scratch codes for MFA gauth? >>> >>> Basically you can sit there rolling through the MFA codes until one hits >>> a scratch code, without things failing. Is there some way to cap failed MFA >>> logins, or integrate it with throttling? >>> >>> I tried building cas with Throttling as well ( >>> https://apereo.github.io/cas/development/authentication/Configuring-Authentication-Throttling.html), >>> >>> hoping that would work for MFA, but it just adds an entry per failed MFA >>> token, which is a good way to trigger a denial of service, possibly filling >>> up, whatever storage you use. >>> >>> Thank you, >>> Matt >>> >> -- - Website: https://apereo.github.io/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/ff8135a7-7bda-4a2f-b8c6-441814f69f95n%40apereo.org.
