kanidm/designs/account_policy.rst

Account Policy and Lockouts
---------------------------

For accounts we need to be able to define securite constraints and limits to prevent malicious use
or attacks from succeeding. While these attacks may have similar sources or goals, the defences
to them may vary.

A list (not comprehensive) of these include:

* Credential Stuffing
* Phishing (Site Impersonation)
* Key Logging / Physical Discovery
* Common Password / Spray
* Brute Force

Credential Policies
===================

As the majority of the attacks listed can be prevented with TOTP, and all effectively defeated with
Webauthn, it's essential that policies can exist that allow an administrator to set requirements
on accounts to what level of authentication they require to protect resources.

Credential Polcies are inherited from groups, as groups grant rights and claims to other resources.
Since it is these resources and privileges we wish to protect, logically the credential policy becomes
part of the group that should be protected.

When multiple credential policies exist that may be conflicting, the "stricter" policy is enforced
as a group in the set requires it.

The strength of credentials is today sorted as:

* (weakest)
* Password
* GeneratedPassword
* Webauthn (with out verification)
* TOTP + Password
* Webauthn + Password
* WebauthnVerified
* WebauthnVerified + Password
* (strongest)

Rate Limiting
======================

Rate Limiting is the process of delaying authentication responses to slow the number of attempts
against an account to deter attackers. This is often used to prevent attackers from bruteforcing
passwords at a high rate.

The best defence again these attacks is Multi-factor authentication (MFA). Due to the design of Kanidm,
the second factor (ie the webauthn token or the OTP) is always checked *before* the password,
meaning that the attacker is unable to attack the password *unless* they also have
the corresponding MFA token.

However, not all accounts will have MFA enabled, which means that defences are still required to
prevent these attacks for password-only accounts. Accounts protected with TOTP must also be rate
limited according to [NIST SP800-63B](https://pages.nist.gov/800-63-3/sp800-63b.html).
Webauthn does *not* require rate-limiting as a single factor or multi factor device.

As an account can only have a single proceeding authentication session at a time, this provides
serialisation and rate limiting per account of the service. However, as Kanidm will in the future
support multiple, distributed replicas, we must consider an architecture that allows eventually
consistent behaviour.

NIST SP800 63b recommends that after 100 failed attempts that the account be locked. Due to the
eventually consistent nature, this poses a challenge, namely that:

* Synchronising this account lock may not be instant, allowing further attempts on parallel servers.
* That read only servers may exist in the system which can not write to the entries.
* A malicious party may intentionally send incorrect values to force an account to lock.

To account for this for accounts with TOTP:

* After an 5 incorrect TOTP's within the time window, the account is locked for 60 seconds. This prevents bruteforce of the TOTP.

For accounts with password-only:

* After 5 incorrect attempts the account is rate limited by an increasing time window within the API. This limit delays the response to the auth (regardless of success)
* After X attempts, the account is soft locked on the affected server only for a time window of Y increasing up to Z.
* If the attempts continue, the account is hard locked and signalled to an external system that this has occured.

The value of X should be less than 100, so that the NIST guidelines can be met. This is beacuse when there are
many replicas, each replica maintains its own locking state, so "eventually" as each replica is attempted to be
bruteforced, then they will all eventually soft lock the account. In larger environments, we require
external signalling to coordinate the locking of the account.

In the future, this can also be informed by:

* IP/GEOIP from past login's to determine if the behaviour is expected.
* HTTP/Browser ID to determine if it's "likely" the person in question.

These can then assist with choosing to lock or allow an auth to proceed in the face of an attack.

FUTURE:
* Delayed notification about suspect login?

Ratelimit on unix auth

Hard Lock + Expiry/Active Time Limits
=====================================

It must be possible to expire an account so it no longer operates (IE temporary contractor) or
accounts that can only operate after a known point in time (Student enrollments and their course
commencment date).

This expiry must exist at the account level, but also on issued token/API password levels. This allows revocation of
individual tokens, but also the expiry of the account and all tokens as a whole. This expiry may be
undone, allowing the credentials to become valid once again.

On the account, this is represented by two date times. AuthAllowFrom and AuthAllowUntil. These
are stored on the server in unix epoch to account for timezones and geographic distribution.

* Interaction with already issued tokens.
    * it prevents them from working?

Must prevent creation of RADIUS auth tokens

Must prevent login via unix.

Application Passwords / Issued Oauth Tokens
===========================================

* Relates to claims
* Need their own expirys
* Need ratelimit as above?
Account valid-from and expiry (#322) Fixes #59 account policy and lockout. This is achived with a valid_from and expire attribute that are timestamps. Cli tools are added to manage these. 2020-10-10 02:31:51 +02:00			`Account Policy and Lockouts`
			`---------------------------`

			`For accounts we need to be able to define securite constraints and limits to prevent malicious use`
			`or attacks from succeeding. While these attacks may have similar sources or goals, the defences`
			`to them may vary.`

			`A list (not comprehensive) of these include:`

			`* Credential Stuffing`
			`* Phishing (Site Impersonation)`
			`* Key Logging / Physical Discovery`
			`* Common Password / Spray`
			`* Brute Force`

			`Credential Policies`
			`===================`

			`As the majority of the attacks listed can be prevented with TOTP, and all effectively defeated with`
			`Webauthn, it's essential that policies can exist that allow an administrator to set requirements`
			`on accounts to what level of authentication they require to protect resources.`

			`Credential Polcies are inherited from groups, as groups grant rights and claims to other resources.`
			`Since it is these resources and privileges we wish to protect, logically the credential policy becomes`
			`part of the group that should be protected.`

			`When multiple credential policies exist that may be conflicting, the "stricter" policy is enforced`
			`as a group in the set requires it.`

			`The strength of credentials is today sorted as:`

			`* (weakest)`
			`* Password`
			`* GeneratedPassword`
			`* Webauthn (with out verification)`
			`* TOTP + Password`
			`* Webauthn + Password`
			`* WebauthnVerified`
			`* WebauthnVerified + Password`
			`* (strongest)`

			`Rate Limiting`
			`======================`

			`Rate Limiting is the process of delaying authentication responses to slow the number of attempts`
			`against an account to deter attackers. This is often used to prevent attackers from bruteforcing`
			`passwords at a high rate.`

I might have become clippy this time (#449) * clippiness * it is really handy that we have tests * it is still really handy that we have tests 2021-05-22 06:48:08 +02:00			`The best defence again these attacks is Multi-factor authentication (MFA). Due to the design of Kanidm,`
			`the second factor (ie the webauthn token or the OTP) is always checked before the password,`
			`meaning that the attacker is unable to attack the password unless they also have`
			`the corresponding MFA token.`
Account valid-from and expiry (#322) Fixes #59 account policy and lockout. This is achived with a valid_from and expire attribute that are timestamps. Cli tools are added to manage these. 2020-10-10 02:31:51 +02:00
			`However, not all accounts will have MFA enabled, which means that defences are still required to`
			`prevent these attacks for password-only accounts. Accounts protected with TOTP must also be rate`
I might have become clippy this time (#449) * clippiness * it is really handy that we have tests * it is still really handy that we have tests 2021-05-22 06:48:08 +02:00			`limited according to [NIST SP800-63B](https://pages.nist.gov/800-63-3/sp800-63b.html).`
			`Webauthn does not require rate-limiting as a single factor or multi factor device.`
Account valid-from and expiry (#322) Fixes #59 account policy and lockout. This is achived with a valid_from and expire attribute that are timestamps. Cli tools are added to manage these. 2020-10-10 02:31:51 +02:00
			`As an account can only have a single proceeding authentication session at a time, this provides`
			`serialisation and rate limiting per account of the service. However, as Kanidm will in the future`
			`support multiple, distributed replicas, we must consider an architecture that allows eventually`
			`consistent behaviour.`

			`NIST SP800 63b recommends that after 100 failed attempts that the account be locked. Due to the`
			`eventually consistent nature, this poses a challenge, namely that:`

			`* Synchronising this account lock may not be instant, allowing further attempts on parallel servers.`
			`* That read only servers may exist in the system which can not write to the entries.`
			`* A malicious party may intentionally send incorrect values to force an account to lock.`

			`To account for this for accounts with TOTP:`

			`* After an 5 incorrect TOTP's within the time window, the account is locked for 60 seconds. This prevents bruteforce of the TOTP.`

			`For accounts with password-only:`

			`* After 5 incorrect attempts the account is rate limited by an increasing time window within the API. This limit delays the response to the auth (regardless of success)`
			`* After X attempts, the account is soft locked on the affected server only for a time window of Y increasing up to Z.`
			`* If the attempts continue, the account is hard locked and signalled to an external system that this has occured.`

			`The value of X should be less than 100, so that the NIST guidelines can be met. This is beacuse when there are`
I might have become clippy this time (#449) * clippiness * it is really handy that we have tests * it is still really handy that we have tests 2021-05-22 06:48:08 +02:00			`many replicas, each replica maintains its own locking state, so "eventually" as each replica is attempted to be`
Account valid-from and expiry (#322) Fixes #59 account policy and lockout. This is achived with a valid_from and expire attribute that are timestamps. Cli tools are added to manage these. 2020-10-10 02:31:51 +02:00			`bruteforced, then they will all eventually soft lock the account. In larger environments, we require`
			`external signalling to coordinate the locking of the account.`

			`In the future, this can also be informed by:`

			`* IP/GEOIP from past login's to determine if the behaviour is expected.`
			`* HTTP/Browser ID to determine if it's "likely" the person in question.`

			`These can then assist with choosing to lock or allow an auth to proceed in the face of an attack.`

			`FUTURE:`
			`* Delayed notification about suspect login?`

			`Ratelimit on unix auth`

			`Hard Lock + Expiry/Active Time Limits`
			`=====================================`

			`It must be possible to expire an account so it no longer operates (IE temporary contractor) or`
			`accounts that can only operate after a known point in time (Student enrollments and their course`
			`commencment date).`

I might have become clippy this time (#449) * clippiness * it is really handy that we have tests * it is still really handy that we have tests 2021-05-22 06:48:08 +02:00			`This expiry must exist at the account level, but also on issued token/API password levels. This allows revocation of`
Account valid-from and expiry (#322) Fixes #59 account policy and lockout. This is achived with a valid_from and expire attribute that are timestamps. Cli tools are added to manage these. 2020-10-10 02:31:51 +02:00			`individual tokens, but also the expiry of the account and all tokens as a whole. This expiry may be`
			`undone, allowing the credentials to become valid once again.`

			`On the account, this is represented by two date times. AuthAllowFrom and AuthAllowUntil. These`
			`are stored on the server in unix epoch to account for timezones and geographic distribution.`

			`* Interaction with already issued tokens.`
			`* it prevents them from working?`

I might have become clippy this time (#449) * clippiness * it is really handy that we have tests * it is still really handy that we have tests 2021-05-22 06:48:08 +02:00			`Must prevent creation of RADIUS auth tokens`
Account valid-from and expiry (#322) Fixes #59 account policy and lockout. This is achived with a valid_from and expire attribute that are timestamps. Cli tools are added to manage these. 2020-10-10 02:31:51 +02:00
			`Must prevent login via unix.`

			`Application Passwords / Issued Oauth Tokens`
			`===========================================`

			`* Relates to claims`
			`* Need their own expirys`
			`* Need ratelimit as above?`