split from 2.2.1 - disallow account lockout #2134
Labels
1) Discussion ongoing
Issue is opened and assigned but no clear proposal yet
Community wanted
We would like feedback from the community to guide our decision otherwise we will progress
V2
_5.0 - prep
This needs to be addressed to prepare 5.0
Spin-off from #1763 (comment)
As current 2.2.1 requires work, and should have a clear anti-automation goal, it makes sense to separate the lockout part from this.
First question is - do we need this requirement? What NIST says about it? How it can fire back?
In practice - I have seen "enough times" solutions that via some web application authentication form you can lock out an entire organization or company user base with incorrect credentials.
Idea proposal from @tghosth
This serves to goal to explain the idea, but should be written as positive requirement.
The text was updated successfully, but these errors were encountered: