What are your recommendations about sending authentication failures to Sentry? #84153
Comments
|
Assigning to @getsentry/support for routing ⏲️ |
|
Routing to @getsentry/product-owners-settings-auth for triage ⏲️ |
getsantry
bot
moved this from Waiting for: Support
to Waiting for: Product Owner
in GitHub Issues with 👀 3
|
Hello @craigmcc Sentry is generally meant for bugs in your code, and a user putting in a wrong password is not a bug. If you're concerned about regressions on your authentication API, then we have an alerting feature that can ping you when the throughput or error count from the API becomes anomalous. You would not need to send user information for this use case. If you're concerned about attacks on a specific user, then you need to consider the actions you'd want to take and then pick your tooling from there. If you have to send user information to Sentry, then |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I am not talking about problems with Sentry itself.
I am talking about when a user tries to log in to my system, and the username/password match (or whatever depending on your auth implementation) fails. For simplicity sake, let's assume we are talking about self username password authentication. Should that be reported in a Sentry event?
I can think of at least three alternatives:
Either of the first two alternatives seems like a risk of unwarranted sharing of PII (think about a user that gets their username right but has an off-by-one character mis-type in the password). In the second case, it can potentially be determined that a particular username is under attack.
But what happens if Sentry itself is breached?
I am inclined towards the third alternative, but that puts the onus of protecting information back on me, of course.
What does Sentry recommend your users do in this kind of scenario?
The text was updated successfully, but these errors were encountered: