Ask HN: Using password with a random secret question user has stored?
Would it be secure enough if user has to answer a secret question after logging in and if he enter a correct answer, he is logged in application but if didn't answered it correctly first time, then user is locked and an sms with some numbers is sent to user mobile number to get unlocked and repeat this process for max like 3 times and will be blocked forever unless admin unblocks after verifying the user manually.
4 comments
[ 5.6 ms ] story [ 20.5 ms ] threadBlocking an account after a number of failed login attempts is an invitation for DoS. Use a system of temporary blocks instead; for example, 2^n seconds after the n-th attempt.
If this is not feasible for some reason, you need to change or revoke your secrets as soon as you know the key is stolen.
I'd prefer it if they just used TOTP or FIDO as their second factor because it's actual real security. Even SMS would be better than nothing.