Feature Request: Enhanced MFA Security Controls
We propose implementing additional security measures for the Multi-Factor Authentication (MFA) flow to improve account protection and prevent unauthorized access attempts.
Proposed Features
- Session Termination After Multiple MFA Failures
- Automatically terminate the user’s session after a configurable number of failed MFA attempts (e.g., 5 failures).
- This prevents further attempts on the same session, requiring the user to start the authentication process from the beginning.
- Account Lockout After Excessive MFA Failures
- Temporarily block the user account after a set number of MFA failures across multiple sessions (e.g., 10 failures within 30 minutes).
- Implement a configurable lockout duration (e.g., 30 minutes, 1 hour, 24 hours).
- Provide options for manual account unlock by administrators or automatic unlock after a set period.