I am wanting to implement 2FA in my application. I am a relatively new developer (~1 year Spring Boot / Android).
At the moment, my App uses Spring Security AuthenticationProviders to authenticate a user only by their username/password combo using BCrypt as the hashing algo.
With generally looking online, I can't seem to find a "clear" when to challenge a user for a 2FA code.
My questions are:
- Under what circumstance(s) do you request a 2FA code?
Only if the UserAgent string has not been seen for that user before ? The UserAgent && IP not a seen combination before?...Or when/with what combination? (Machine learning out of question...noobie here). - Should the user account be locked/disabled always requesting a 2FA code for EVERY subsequent login attempt if the first 2FA code inputted fails until a correct 2FA/Username/Password combination is given.
- I guess a rate limit on how often a new 2FA is generated is a standard to prevent some form of DOS attack?
Any links or clearer "best practice" would be greatly appreciated!
Thank you.