Many services, such as a website, an email service, a social network, etc., may employ various security techniques to mitigate unauthorized access to user information. For example, a social network service may perform a verification to verify that a user attempting to access a social network account is indeed an owner of a registered email account (e.g., a verification code or link may be sent to an email address of the user), an owner of a registered device (e.g., the verification code or link may be sent to a mobile device of the user), etc. The user may submit the verification code back to the social network service for verification. A verification attempt counter may be maintained to track whether the user (e.g., a malicious attacker) has attempted to verify with the social network service over a threshold amount of attempts, and thus the social network account may be locked or some other security policy may be implemented.
In an example, the service may be hosted across a plurality of data centers for resiliency against failures. For example, the social network account may be stored within multiple data centers, such that if a data center fails, then a surviving data center has access to the social network account for providing the user with uninterrupted access to the social network service. Unfortunately, parallel attacks on multiple data centers may be performed by an attacker in an attempt to falsely verify that the attacker is the user, such as by using a bot to submit codes that may potentially match the verification code. Because the attempts are performed in parallel, the verification attempt counter may not be updated quick enough to adequate track an accurate number of attempts by the attacker, and thus the attacker may more easily falsely verify as the user because of having more verification attempts than the threshold amount of attempts. Significant processing and client access latency may be introduced if replication or other techniques are used to store the verification code and the verification attempt counter across multiple data centers in a consistent manner.