Merge pull request #499 from gmandyam/master

gmandyam · web-flow · commit 68cc6092b2c3 · 2017-06-28T14:07:22.000-07:00
Add Rate Limiting definition to terminology section
diff --git a/index.bs b/index.bs
@@ -307,6 +307,12 @@ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "S
     attestation=], the [=credential key pair=] is also used as the [=attestation key pair=], see [=self attestation=]
     for details.
 
+:<dfn>Rate Limiting</dfn>
+:: The process (also known as throttling) by which an authenticator implements controls against brute force attacks by limiting
+    the number of consecutive failed authentication attempts within a given period of time.  If the limit is reached, the authenticator
+    should impose a delay that increases exponentially with each successive attempt, or disable the current authentication modality
+    and offer a different authentication factor if available.  Rate limiting is often implemented as an aspect of [=user verification=].
+
 : <dfn>Registration</dfn>
 :: The [=ceremony=] where a user, a [=[RP]=], and the user's computing device(s) (containing at least one
     [=authenticator=]) work in concert to create a [=public key credential=] and associate it with the user's [=[RP]=] account.
