Looking for some suggestions/help in regards to the failcounter and preventing brute forcing. It appears that after the failcounter clear timer completes, you can brute force the account.
For example, while testing I had my ‘Clear failcounter’ set to 5 minutes I performed the below actions.
- Entered my PIN wrong 5 times to hit my max fail.
- Tried to use my correct pin within the 5 minute window. This failed [expected]
- Waited 5 minutes
- Entered an invalid PIN several more times
- Entered the correct PIN immediately afterward and the authentication succeeded [unexpected]
I was assuming/hoping that any failed login attempt would reset the 5 minute timer. I may write a script in the event handler to do this, but I was checking to see if this was expected behavior or not first.