ACSP Suggestion 2020.16: Follow Rate Limiting (Throttling) Advice in NIST 800-63B Section 5.2.2 When Locking User Accounts

Suggestion

Author: Anonymous   
Submitted On: 28 October 2020

Description: ARIN Online should utilize the advice in NIST 800-63B in section “5.2.2 Rate Limiting (Throttling)” to avoid locking user accounts after 5 failed attempts. In addition to increasing the number attempts to something a little closer to the NIST suggested upper limit (of 100 failed attempts), consideration should be given to use of one or more of the suggested additional techniques that may reduce the likelihood that an attacker will lock the legitimate claimant out as a result of rate limiting (e.g. captcha completion before resuming and/or an increasing wait period after each failed attempts).

Value to Community:

  1. Elimination of a fairly trivial denial of service attack against ARIN Online users
  2. Avoidance of unnecessary calls to ARIN customer service
  3. Potential emergence of world peace due to Increased customer satisfaction with the ARIN Online login process

Timeframe: Not specified

Status: Closed   Updated: 08 June 2021

Tracking Information

ARIN Comment

3 December 2020

Thank you for your recent suggestion, numbered 2020.16 upon receipt, requesting that we follow the rate limiting (throttling) advice in NIST 800-63B Section 5.2.2 when locking user accounts. We understand that the current practice of locking user accounts after a number of failed login attempts can sometimes result in legitimate users being locked out of their accounts.

ARIN will implement a series of password validations based on the NIST recommendations using a CAPTCHA and account locking periods that become longer as the number of failed login attempts increase. ARIN will work with its Registration Services Department (RSD) to determine a number of failed login attempts that will trigger a notification to RSD. This notification will alert RSD to contact the customer.

Thank you for participating in the ARIN Consultation and Suggestion Process. Your suggestion will remain open until implemented.

8 June 2021

Thank you for your suggestion, numbered 2020.16 on confirmed receipt, requesting that we follow the rate limiting (throttling) advice in NIST 800-63B Section 5.2.2 when locking user accounts.

With our latest release, we have implemented changes to our login authentication process following the guidelines in NIST 800-63B Section 5.2.2. These changes include a rate-limiting mechanism that effectively limits the number of failed authentication attempts that can be made against any single account over time and introduces CAPTCHA and incrementing timeout periods before allowing further attempts. ARIN’s Registration Services Department will notify affected customers when warranted.

Because this work is completed, we are closing this suggestion. Thank you for participating in the ARIN Consultation and Suggestion Process.