Contrib.social
Created on 15 May 2025, about 2 months ago

Is there anything that would stop someone from creating an account with someone else's email and then hammering it with TFA code messages? I tried it out leaving the code field empty and eventually I got "Failed validation limit reached." I don't know if there's a way around that.

Just wondering if this is a topic that has come up, either for this module or for the TFA plugins generally.

πŸ’¬ Support request
Status

Active

Version

1.0

Component

Code

Created by

πŸ‡ΊπŸ‡ΈUnited States brad.bulger

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @brad.bulger
  • Comment about 2 months ago β†’
    πŸ‡¦πŸ‡ΊAustralia mingsong πŸ‡¦πŸ‡Ί

    I am not sure if I understand your question correctly.

    Flood control?

    Yes, this module comes with the flood control measure to prevent brute-force attack.

    Is there anything that would stop someone from creating an account with someone else's email

    This is a question to Drupal core. Since Drupal will set the password reset link to user's email, if this happen, then that is a security question to core. As Drupal security policy, I won't discuss this question here.

    I tried it out leaving the code field empty and eventually I got "Failed validation limit reached." I don't know if there's a way around that.

    Bypass the flood control is a security breach, so the short answer is no, you can't.

    Just wondering if this is a topic that has come up, either for this module or for the TFA plugins generally.

    I don't understand what you want to ask here.

  • Comment about 2 months ago β†’
    πŸ‡¦πŸ‡ΊAustralia mingsong πŸ‡¦πŸ‡Ί

    Close it as I think all questions related to this module have been answered.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024