Lock Out a User who Supplies the Wrong Password for a Specified Number of Times

[samkanga]

Describe the issue to be researched
PATH have made a request for the ability to lock out the app users who input the wrong password for a specified number of times. The lock-out would be for a specified amount of time before they can retry login or contact an admin where they are totally unable login.

A possible approach would be through key-cloak but this would need the device to be online. This feature is sought to be resident on the app and to work even when the users have no internet connection.
What would it take to achieve this request on OpenSRP 2?

Describe the goal of the research
This is as a security measure that is meant to lock anyone who may be trying to impersonate a user or not a valid system user.

Describe the methodology
This request is at exploration level to determine what is presently possible.

[dubdabasoduba]

@ndegwamartin @pld Keycloak already allows this we just need to decide on how the application and web app behave after the account is locked.

• Keycloak allows us to lock the account permanently or have incremental time locks.

[pld]

Cool so 2 options then

1. remote lock -- simpler option
   • need to add functionality so the knows how to message the user when they try to log in and the account is locked
   • need to decide what happens when someone is already logged in offline, but their account is locked (maybe they tried to log in on another device) and then they come online, do they stay logged? do we remove the lock? do we log them out on device?
2. app lock -- complex option
   • can check if there's a packaged module for handling login timeouts on device
   • if not, need to write our own and manage entirely on device
   • but we'd also want to be able to do a remote unlock, so for that maybe we want to integrate somehow w/keycloak's existing functionality