You do not have permission to delete messages in this group
Copy link
Report message
Sign in to report message
Show original message
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to django-d...@googlegroups.com
Hello,
After reading the recent thread on authentification in django, I
wondered about the chance of getting a 2-step auth mechanism in
django.contrib.
Time based one time password, or TOTP, is now part of the RFC 6238.
For those who don't know it, it use a shared secret and current time
to produce 6 digit number. That number change every 30 seconds and is
used to confirm login after entering a correct username and password.
As far as I can tell, there is no such thing present in django
currently. But I don't know if it's because nobody have done the work
or if there are reason to not include 2-step solution in django.
--
Cordialement, Coues Ludovic
+336 148 743 42
Florian Apolloner
unread,
Jan 15, 2017, 6:22:30 AM1/15/17
Reply to author
Sign in to reply to author
Forward
Sign in to forward
Delete
You do not have permission to delete messages in this group
Copy link
Report message
Sign in to report message
Show original message
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to Django developers (Contributions to Django itself)
Hi,
yes we'd very much like to have 2fa in Django. At the minimum we'd like to support TOTP and U2F. The idea on why exactly those two is relatively simple: They either cost nothing or are low cost and the two are so different that if they both work, most other authentication flows will probably work too.
I am not aware of any prior work for django.contrib. Either way, changes like this will require an idea first and then a DEP (which I'll happily shepard).
Cheers, Florian
Tim Graham
unread,
Jan 16, 2017, 10:59:17 AM1/16/17
Reply to author
Sign in to reply to author
Forward
Sign in to forward
Delete
You do not have permission to delete messages in this group
Copy link
Report message
Sign in to report message
Show original message
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to Django developers (Contributions to Django itself)
As a long-term user of (but rare contributor to) Django I'd say the ease
of using one of a number of third-party solutions points to keeping it
out of core.
Relatedly, integrating custom auth (i.e. not just username/password)
would be easier if the Django admin site deferred to LOGIN_URL by
default instead of presenting its own login form. An example issue is
when one uses some sort of web server SSO module with
RemoteUserMiddleware, and then the admin site presents asks for a
username and password for already-authenticated non-staff (who have no
local credentials).
You do not have permission to delete messages in this group
Copy link
Report message
Sign in to report message
Show original message
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to django-d...@googlegroups.com
Also django-two-factor, which builds on django-otp and provides all
extra bits you might need, eg setup views, QR code generation for
device registration, login wizards etc supporting HOTP/TOTP, static
tokens, Yubikey and SMS.