From a85ca7cf11f14379bb025405719a71e0c26f8705 Mon Sep 17 00:00:00 2001
From: Christian Scheb <privat@stylemotion.de>
Date: Sat, 4 Nov 2023 17:44:55 +0100
Subject: [PATCH] Recommend login throttling as the preferred method for brute
 force protection

---
 doc/brute_force_protection.rst | 34 ++++++++++++++++++++++++++++------
 1 file changed, 28 insertions(+), 6 deletions(-)

diff --git a/doc/brute_force_protection.rst b/doc/brute_force_protection.rst
index 5b7fc029..cb360cc2 100644
--- a/doc/brute_force_protection.rst
+++ b/doc/brute_force_protection.rst
@@ -2,17 +2,39 @@ Brute Force Protection
 ======================
 
 Brute force protection is essential for two-factor authentication, because otherwise the authentication code could just
-be guessed by an attacker. The bundle doesn't come with a predefined anti brute force solution, but you can easily
-implement one by listening to the :doc:`events </events>` provided by the bundle.
+be guessed by an attacker.
 
-1) Log failed two-factor attempts
----------------------------------
+Login Throttling
+----------------
+
+In Symfony 5.2 "login throttling" was introduced as a feature to Symfony's security system. If you active this feature
+on the firewall settings, you'll automatically have brute force protection for login *and* two-factor authentication.
+
+.. code-block:: yaml
+
+   # config/packages/security.yaml
+       security:
+           firewalls:
+               your_firewall_name:
+                   login_throttling:
+                       max_attempts: 3
+                       interval: '15 minutes'
+
+Please see `Symfony Security Bundle documentation <https://symfony.com/doc/current/security.html#limiting-login-attempts>`_
+for details on this feature and its configuration.
+
+Custom Implementation
+---------------------
+
+If you need a custom implementation for brute force protection, you can easily implement one by listening to the
+:doc:`events </events>` provided by the bundle.
+
+**1) Log failed two-factor attempts**
 
 Register a listener for the ``scheb_two_factor.authentication.failure`` event. Log whatever you need (IP, user, etc.)
 to detect brute force attacks.
 
-2) Block authentication
------------------------
+**2) Block authentication**
 
 Register a listener for the ``scheb_two_factor.authentication.attempt`` event. Execute your brute-force detection logic
 and decide if the attempt should be blocked. Since that event is dispatched directly before the two-factor code is