AspNetIdentity icon indicating copy to clipboard operation
AspNetIdentity copied to clipboard
verified publisher icon aspnet

Failed login attempts are not counted if email address is null or empty

Open theglobe opened this issue 5 years ago • 3 comments

If Email field is null or empty the UserManager will not update the database table and since AccessFailedCount is stored in the same table it will not be incremented.

await UserManager.AccessFailedAsync(user.Id).WithCurrentCulture(); returns an error, but this is not checked, in SignInManager.PasswordSignInAsync and SignInManager.TwoFactorSignInAsync.

This means that an attacker can guess passwords for such a user indefinitely.

theglobe avatar May 18 '20 10:05 theglobe

How would that be harmful though, since no identity account can have a null email?

tymur999 avatar Oct 08 '20 15:10 tymur999

For instance if users can register with a phone number, or if using a custom user administration that allows an administrator to manually add users.

The minimal required information for a user account should be user name and password.

Is this repo maintained?

theglobe avatar Oct 08 '20 22:10 theglobe

This is when using a UserValidator with RequireUniqueEmail = true.

A possible workaround is to set RequireUniqueEmail = false, but then you will not get any email address validation when the users enters an email address.

theglobe avatar Nov 23 '20 10:11 theglobe