Section
1.1.6
Top Level
Sub Level
General
The application should lock the user's account after a defined number of failed login attempts or should introduce a delay after each failed authentication attempt to slow down brute force attacks.
Django
One possible solution is to create a new Model that logs unsuccessful login attempts. Before attempting to authenticate the credentials from a login form, you can check this log for the username to determine the number of failed attempts for a given time frame. Based on this result, you could "lock" the users account.
Natural Webagent
This is handled automatically when using EID authentication.