docs: user-management: add section for TFA lockouts

adapted from pve-docs' commit 96a0d13 ("user management: document TFA
lockout")

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
This commit is contained in:
Thomas Lamprecht 2023-06-26 20:07:39 +02:00
parent f905e05cff
commit c724c00667

View File

@ -563,6 +563,32 @@ use :ref:`API Tokens <user_tokens>` for all other use cases, especially
non-interactive ones (for example, adding a Proxmox Backup Server to Proxmox VE
as a storage).
.. _user_tfa_lockout:
Limits and Lockout of Two-Factor Authentication
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
A second factor is meant to protect users if their password is somehow leaked
or guessed. However, some factors could still be broken by brute force. For
this reason, users will be locked out after too many failed 2nd factor login
attempts.
For TOTP, 8 failed attempts will disable the user's TOTP factors. They are
unlocked when logging in with a recovery key. If TOTP was the only available
factor, admin intervention is required, and it is highly recommended to require
the user to change their password immediately.
Since FIDO2/Webauthn and recovery keys are less susceptible to brute force
attacks, the limit there is higher (100 tries), but all second factors are
blocked for an hour when exceeded.
An admin can unlock a user's Two-Factor Authentication at any time via the user
list view in the web UI, or using the command line:
.. code-block:: console
proxmox-backup-manager user tfa unlock joe@pve
Authentication Realms
---------------------