Contrib.social
Created on 15 May 2025, 22 days ago

Is there anything that would stop someone from creating an account with someone else's email and then hammering it with TFA code messages? I tried it out leaving the code field empty and eventually I got "Failed validation limit reached." I don't know if there's a way around that.

Just wondering if this is a topic that has come up, either for this module or for the TFA plugins generally.

πŸ’¬ Support request
Status

Active

Version

1.0

Component

Code

Created by

πŸ‡ΊπŸ‡ΈUnited States brad.bulger

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @brad.bulger
  • Comment 21 days ago β†’
    πŸ‡¦πŸ‡ΊAustralia mingsong πŸ‡¦πŸ‡Ί

    I am not sure if I understand your question correctly.

    Flood control?

    Yes, this module comes with the flood control measure to prevent brute-force attack.

    Is there anything that would stop someone from creating an account with someone else's email

    This is a question to Drupal core. Since Drupal will set the password reset link to user's email, if this happen, then that is a security question to core. As Drupal security policy, I won't discuss this question here.

    I tried it out leaving the code field empty and eventually I got "Failed validation limit reached." I don't know if there's a way around that.

    Bypass the flood control is a security breach, so the short answer is no, you can't.

    Just wondering if this is a topic that has come up, either for this module or for the TFA plugins generally.

    I don't understand what you want to ask here.

  • Comment 21 days ago β†’
    πŸ‡¦πŸ‡ΊAustralia mingsong πŸ‡¦πŸ‡Ί

    Close it as I think all questions related to this module have been answered.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024