Time based one time password and django ?

147 views
Skip to first unread message

ludovic coues

unread,
Jan 15, 2017, 5:47:56 AM1/15/17
to django-d...@googlegroups.com
Hello,

After reading the recent thread on authentification in django, I
wondered about the chance of getting a 2-step auth mechanism in
django.contrib.

Time based one time password, or TOTP, is now part of the RFC 6238.
For those who don't know it, it use a shared secret and current time
to produce 6 digit number. That number change every 30 seconds and is
used to confirm login after entering a correct username and password.

As far as I can tell, there is no such thing present in django
currently. But I don't know if it's because nobody have done the work
or if there are reason to not include 2-step solution in django.

--

Cordialement, Coues Ludovic
+336 148 743 42

Florian Apolloner

unread,
Jan 15, 2017, 6:22:30 AM1/15/17
to Django developers (Contributions to Django itself)
Hi,

yes we'd very much like to have 2fa in Django. At the minimum we'd like to support TOTP and U2F. The idea on why exactly those two is relatively simple: They either cost nothing or are low cost and the two are so different that if they both work, most other authentication flows will probably work too.

I am not aware of any prior work for django.contrib. Either way, changes like this will require an idea first and then a DEP (which I'll happily shepard).

Cheers,
Florian

Tim Graham

unread,
Jan 16, 2017, 10:59:17 AM1/16/17
to Django developers (Contributions to Django itself)
There is also a ticket: https://code.djangoproject.com/ticket/25612 "django.contrib.auth should include support for 2fa out of the box".

Gavin Wahl

unread,
Jan 16, 2017, 11:28:23 AM1/16/17
to Django developers (Contributions to Django itself)
I have a project that implements TOTP and U2F as a third-party package: https://github.com/gavinwahl/django-u2f

Alexander Dutton

unread,
Jan 16, 2017, 11:38:20 AM1/16/17
to django-d...@googlegroups.com
There's also <http://pythonhosted.org/django-otp/>, which is fairly easy
to integrate into a Django project.

As a long-term user of (but rare contributor to) Django I'd say the ease
of using one of a number of third-party solutions points to keeping it
out of core.

Relatedly, integrating custom auth (i.e. not just username/password)
would be easier if the Django admin site deferred to LOGIN_URL by
default instead of presenting its own login form. An example issue is
when one uses some sort of web server SSO module with
RemoteUserMiddleware, and then the admin site presents asks for a
username and password for already-authenticated non-staff (who have no
local credentials).

Yours,

Alex
> --
> You received this message because you are subscribed to the Google
> Groups "Django developers (Contributions to Django itself)" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to django-develop...@googlegroups.com
> <mailto:django-develop...@googlegroups.com>.
> To post to this group, send email to django-d...@googlegroups.com
> <mailto:django-d...@googlegroups.com>.
> Visit this group at https://groups.google.com/group/django-developers.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-developers/7a3b3837-5c24-4984-abb8-d68d9ce31459%40googlegroups.com
> <https://groups.google.com/d/msgid/django-developers/7a3b3837-5c24-4984-abb8-d68d9ce31459%40googlegroups.com?utm_medium=email&utm_source=footer>.
> For more options, visit https://groups.google.com/d/optout.

Tom Evans

unread,
Jan 17, 2017, 6:52:23 AM1/17/17
to django-d...@googlegroups.com
Also django-two-factor, which builds on django-otp and provides all
extra bits you might need, eg setup views, QR code generation for
device registration, login wizards etc supporting HOTP/TOTP, static
tokens, Yubikey and SMS.

https://markusholtermann.eu/2016/09/2-factor-authentication-in-django/

Cheers

Tom
> To unsubscribe from this group and stop receiving emails from it, send an email to django-develop...@googlegroups.com.
> To post to this group, send email to django-d...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/fb94cbfa-5987-4aa7-e74a-6fa53ce05cce%40alexdutton.co.uk.
Reply all
Reply to author
Forward
0 new messages