[littlestymaar]

> an IP that doesn't appear anywhere in your logs suddenly submits two or three login attempts

How is the attacker supposed to bruteforce anything with 2-3 login attempts?

Even if 1M node submitted 10 login attempts per hour, they would just be able to try 7 billion passwords per month per account, that's ridiculously low to bruteforce even moderately secure passwords (let alone that there's definitely something to do on the back end side of things if you see one particular account with 1 million login attempts in a hour from different IPs…).

So I must have misunderstood the threat model…

[mike_hearn]

Brute force here can mean they try millions of accounts and get into maybe a quarter of them on their first try, not that they make millions of tries against a single account.

[littlestymaar]

If you have an attacker that can gain access on 25% of its attempts, it doesn't matter it there is a botnet with millions of IPs, they would still have around 25% success rate on just 10 IPs, it bas nothing to do with brute force, it just means you have plenty of compromised accounts in the wild and you want to prevent bad actors from using them at scale.

The threat model is entirely different from what your brute force phrase implies, and it is also a threat model that isn't relevant to banking, which was the topic of the discussion in the first place. And more importantly, it doesn't affect the security of the user.

[3form]

That's a very uncommon understanding of brute force, to be honest. Generally I see the term applied to cases where there's next to no prior knowledge, just enumeration.

[mike_hearn]

Well, I'd have picked a different word in this context. I'm just explaining why attestation fixes the problem described by the OP as seen in modern contexts and rate limiting doesn't.