Enhance the user experience regarding locked accounts

[jonasraoni]

If someone attempts to brute force a password, the account might get locked too often, and the user will be forced to reset the password.
Initial ideas:

• Once the user gets logged in, we could setup a cookie, assume the machine is safe (allow it to skip the validation), at least for N days.
• Setup smaller retry limits for the same IP, which would force an attacker to use a better network setup?!

[ctgraham]

@jonasraoni , do you have specific examples of this, or is it theoretical? Part of the assumption of blocking brute force attempts is that with an account lock, the attacker will discontinue the requests, since they aren't getting new information from trying additional passwords; and, ultimately, they will not bother to brute force the system because the process of credential stuffing becomes too slow.

[jonasraoni]

We just had a user complaining about getting locked a couple of times, so this is a possible improvement to save them for this burden. Setting up a cookie sounds like a reasonable approach (I've seen it on other auth systems, to skip 2FA validations on the same device) :)