[Django] #25612: django.contrib.auth should include support for 2fa out of the box

[Django]

#25612: django.contrib.auth should include support for 2fa out of the box
----------------------------------------+------------------------
Reporter: alex | Owner: nobody
Type: New feature | Status: new
Component: contrib.auth | Version: master
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
----------------------------------------+------------------------
Django did a tremendous service to its users by making strong password
hashing be the default. The world is pushing forward, and now 2fa is the
next standard that many sites fail to meet.

Django should include support for 2fa out of the box, ideally with support
for both u2f and TOTP (Google Authenticator).

--
Ticket URL: <https://code.djangoproject.com/ticket/25612>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

[Django]

#25612: django.contrib.auth should include support for 2fa out of the box

------------------------------+-----------------------------------------

Reporter: alex | Owner: nobody
Type: New feature | Status: new
Component: contrib.auth | Version: master

Severity: Normal | Resolution:
Keywords: | Triage Stage: Someday/Maybe

Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0

------------------------------+-----------------------------------------
Changes (by timgraham):

* stage: Unreviewed => Someday/Maybe

Comment:

[https://groups.google.com/d/topic/django-
developers/T-kBSvry6z0/discussion django-developers] discussion.

--
Ticket URL: <https://code.djangoproject.com/ticket/25612#comment:1>

[Django]

#25612: django.contrib.auth should include support for 2fa out of the box

------------------------------+------------------------------------

Reporter: alex | Owner: nobody
Type: New feature | Status: new
Component: contrib.auth | Version: master

Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted

Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0

------------------------------+------------------------------------
Changes (by timgraham):

* stage: Someday/Maybe => Accepted

Comment:

The reception on the mailing list has been positive.

--
Ticket URL: <https://code.djangoproject.com/ticket/25612#comment:2>

[Django]

#25612: django.contrib.auth should include support for 2fa out of the box

------------------------------+------------------------------------

Reporter: alex | Owner: nobody
Type: New feature | Status: new
Component: contrib.auth | Version: master

Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted

Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0

------------------------------+------------------------------------
Changes (by MoritzS):

* cc: moritz.sichert@… (added)

--
Ticket URL: <https://code.djangoproject.com/ticket/25612#comment:3>

[Django]

#25612: django.contrib.auth should include support for 2fa out of the box

------------------------------+------------------------------------

Reporter: alex | Owner: nobody
Type: New feature | Status: new
Component: contrib.auth | Version: master

Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted

Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0

------------------------------+------------------------------------
Changes (by DheerendraRathor):

* cc: dheeru.rathor14@… (added)

--
Ticket URL: <https://code.djangoproject.com/ticket/25612#comment:4>

[Django]

#25612: django.contrib.auth should include support for 2fa out of the box

------------------------------+------------------------------------

Reporter: alex | Owner: nobody
Type: New feature | Status: new
Component: contrib.auth | Version: master

Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted

Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0

------------------------------+------------------------------------
Changes (by edmorley):

* cc: emorley@… (added)

--
Ticket URL: <https://code.djangoproject.com/ticket/25612#comment:5>

[Django]

#25612: django.contrib.auth should include support for 2fa out of the box

------------------------------+-------------------------------------
Reporter: Alex Gaynor | Owner: mlevental
Type: New feature | Status: assigned
Component: contrib.auth | Version: master

Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted

Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0

------------------------------+-------------------------------------
Changes (by mlevental):

* cc: m.levental@… (added)
* status: new => assigned
* owner: nobody => mlevental

--
Ticket URL: <https://code.djangoproject.com/ticket/25612#comment:6>

[Django]

#25612: django.contrib.auth should include support for 2fa out of the box

------------------------------+-------------------------------------
Reporter: Alex Gaynor | Owner: mlevental
Type: New feature | Status: assigned

Component: contrib.auth | Version: master

Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted

Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0

------------------------------+-------------------------------------

Comment (by mlevental):

It should be distinguishable if a user is authenticated with 1 factor or
2, e.g. for checking if the user is already authenticated with the
required number of factors so relogging can be omitted. Therefore a field
like {{{is_two_factor_authenticated}}} can be added to the {{{User}}}
model.

But then it would be unclear whether the existing field
{{{is_authenticated}}} means the user is authenticated with 1 or 2
factors.
To find that out one would have to additionally check for the value of
{{{is_two_factor_authenticated}}} and this would be cumbersome.
For convenience another field like {{{is_one_factor_authenticated}}} could
be introduced. And to make {{{is_authenticated}}} behave correctly it
should return {{{True}}} if either {{{is_one_factor_authenticated}}} or
{{{is_two_factor_authenticated}}} is {{{True}}}.

What are your thoughts on that?

--
Ticket URL: <https://code.djangoproject.com/ticket/25612#comment:7>

[Django]

#25612: django.contrib.auth should include support for 2fa out of the box

------------------------------+-------------------------------------
Reporter: Alex Gaynor | Owner: mlevental
Type: New feature | Status: assigned

Component: contrib.auth | Version: master

Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted

Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0

------------------------------+-------------------------------------

Comment (by Tim Graham):

It would be better to put together a proposal and and post it on the
DevelopersMailingList. That reaches a wider audience that the few people
following the ticket.

--
Ticket URL: <https://code.djangoproject.com/ticket/25612#comment:8>

[Django]

#25612: django.contrib.auth should include support for 2fa out of the box

------------------------------+------------------------------------
Reporter: Alex Gaynor | Owner: (none)

Type: New feature | Status: new
Component: contrib.auth | Version: master

Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted

Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0

------------------------------+------------------------------------
Changes (by mlevental):

* status: assigned => new
* owner: mlevental => (none)

--
Ticket URL: <https://code.djangoproject.com/ticket/25612#comment:9>

[Django]

#25612: django.contrib.auth should include support for 2fa out of the box

------------------------------+---------------------------------------
Reporter: Alex Gaynor | Owner: theExplorer

Type: New feature | Status: assigned

Component: contrib.auth | Version: dev

Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted

Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0

------------------------------+---------------------------------------
Changes (by theExplorer):

* owner: (none) => theExplorer

* status: new => assigned

--
Ticket URL: <https://code.djangoproject.com/ticket/25612#comment:10>

[Django]

#25612: django.contrib.auth should include support for 2fa out of the box

------------------------------+---------------------------------------
Reporter: Alex Gaynor | Owner: theExplorer
Type: New feature | Status: assigned
Component: contrib.auth | Version: dev
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted

Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0

------------------------------+---------------------------------------
Changes (by Mariusz Felisiak):

* cc: justinmayer (added)

--
Ticket URL: <https://code.djangoproject.com/ticket/25612#comment:11>

[Django]

#25612: django.contrib.auth should include support for 2fa out of the box

------------------------------+---------------------------------------
Reporter: Alex Gaynor | Owner: theExplorer
Type: New feature | Status: assigned
Component: contrib.auth | Version: dev
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted

Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0

------------------------------+---------------------------------------
Changes (by Tom Carrick):

* cc: Tom Carrick (added)

--
Ticket URL: <https://code.djangoproject.com/ticket/25612#comment:12>