We are undergoing penetration testing on one of our solutions by a third party.
They have nearly completed the testing and raised one medium severity finding which concerns me. The finding is that there is nothing in place to prevent a brute force attack on the web application's authentication.
Has anyone put anything in place that would prevent this kind of attack?
Having users authenticate to view files they have access to and then select the file and re-enter their credentials does not tick the box. This does not prevent a brute force attack on the authentication interface just makes it a bit more difficult to automate the complete process to access the file.
If we could deactivate an account after a certain number of attempts or block access from an IP address or something similar that would tick the box. Implementing sound 2FA would also tick the box if it would work at the authentication stage and not once access to the file had been established as is required with the work arounds available.