How to show captcha after N failed login attempts?

Question

I have an ASP.NET MVC 5 application that uses ASP.NET Identity 2.0 for user authentication.

Currently, users are forced to enter captcha on every login attempt, but it causes many complains about authentication complexity.

The main goal is to make for a human as simple login as possible, and for a robot as complex as possible.

I decided to show captcha after certain amount of failed login attempts. There are many already asked questions about it, but I didn't find answers that will help me build fairly complete solution. I found this question about tracking failed attempt, but it also uses lockout, which is not what I want. And according to this answer part of needed functionality is available in old ASP.NET Membership Provider and is not available (yet?) in ASP.NET Identity.

So, I ended up with the following simplified algorithm:

1. If provided login and password pair is correct, then log user in.
2. If login or password incorrect, then record failed login attempt.
3. If recorded three failed login attempt for a user, then display login page with captcha.
4. If entered captcha is valid, then flush count of failed login attempts, then go to 1.
5. If entered captcha is invalid, then again display login page with captcha.

The question is: how can I distinct incoming requests as request for a specific login?

I can't rely on cookies, sessions, IPs, etc. because any robot can change them. And I can't rely on login either, because login may not exist completely. Obvious approach is to create a separate table that will store login, failed attempts count and a timestamp, but robot can easily flood it with fake logins, although I can workaround this by deleting old entries in a schedlued job.

Is it valid solution? Is there a better way to do that?

Answer 1

Identity framework has a count for failed logins per user. You can increase it via await UserManager.AccessFailedAsync(userId). And property ApplicationUser.AccessFailedCount stores the failed counts for the user record. And to reset failed count call await UserManager.ResetAccessFailedCountAsync(userId)
So this can be leveraged.

However this does not count for invalid usernames - login attempts where user does not exist in the database. For this case you can use your proposed table with regular records purge via cron-task.

But if user tries to login and puts different usernames on every attempt, this approach will fail. So I'd throw in a cookie there anyway, but don't rely on it heavily, knowing that it can be killed easily.

Another solution is to use new Google's reCaptcha - on every page. However this is a new tech and there are reports it is not completely reliable.