Hello Indico Team,
Could you please advise how to restrict user account creation so that only admins can create accounts?
Also, does Indico support protection against brute-force login attempts, such as rate limiting or account lockout? Lastly, how can we enable and configure two-factor authentication (2FA)?
Thank you for your support.
Best regards,
LOCAL_REGISTRATION = False
See the docs for FAILED_LOGIN_RATE_LIMIT. The default may already be fine for you.
Indico itself does not support 2FA, so usually people who require 2FA disable local logins in Indico and instead use some kind of SSO that takes care of account management and 2FA.
Thank you for your prompt response.
If I want to set up a rate limit so that after three failed login attempts the account is disabled, what would the indico.conf configuration look like for this rate-limiting setup?
We do not support account lockouts (it’s a conferencing tool, not a bank…), just IP-based rate limiting. Imagine how easily it would be to DoS a legitimate user by just trying to login 3 times using someone’s (usually easy to guess) username. Or a honest mistake of someone thinking their username is different.
TBH I think you worry too much: Indico already has decent password requirements, including checks for known leaked passwords, so the risk of someone bruteforcing an Indico account password over the network is very low. If it’s an existing setup (for new setups it’s the default) you can also set LOCAL_PASSWORD_MIN_LENGTH = 15 to require longer passwords for Indico accounts.
This is what it looks like when the default setting is enabled in the main indico.conf file:
FAILED_LOGIN_RATE_LIMIT = ‘5 per 15 minutes; 10 per day’