Verify device with email (and consulting?)
73 views
Skip to first unread message
David Burke
May 2, 2016, 9:26:08 PM5/2/16
to django-otp
Hello,
I'm trying to implement email based verification of new devices used to log in. A use case would be
- I log in with a new device.
- I get prompted to verify the device via email
- I get a link in the email with a code that approves the new device
- Next time I use this device - it doesn't require this code. It may however require my password.
The threat it would mitigate is someone who guesses a password but doesn't have access to the victims email nor their physical devices.
The use case is very close to a one time password...except it would persist longer than the session life.
I reviewed the EmailDevice class. The "This is intended for demonstration purposes" warning concerns me though. Would it make sense to use this class (or extend it) for my use case? I imagine this would involve a little more - like storing a token on the device forever that allows email 2 factor auth to be bypassed.
I'd be happy to pay psagers or anyone here for some consulting work for this. It would be for an open source project and any code produced would be open sourced. Since this seems like a common use case - it might make sense to develop a drop in django app for it.
Peter Sagerson
May 2, 2016, 9:48:03 PM5/2/16
to djang...@googlegroups.com
Hi David,
It sounds like https://pypi.python.org/pypi/django-otp-agents/ will be helpful. This builds on django-otp and django-agent-trust to use one-time codes in order to establish that a particular user agent (which more or less corresponds to a device) is trusted and may bypass the additional authentication step in the future.
You could use this with EmailDevice if you like. The warning is there because it’s traditional to let people reset their passwords by email, so this allows an email account to be a single point of failure. If that’s not a threat that concerns you in your particular case, then have at it. You’ll probably want to consider things like how long you want to the emailed token to be valid when deciding if EmailDevice is usable as-is or just as a reference point.
Let me know if I didn’t answer anything.
Thanks,
Peter
> --
> You received this message because you are subscribed to the Google Groups "django-otp" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to django-otp+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
It sounds like https://pypi.python.org/pypi/django-otp-agents/ will be helpful. This builds on django-otp and django-agent-trust to use one-time codes in order to establish that a particular user agent (which more or less corresponds to a device) is trusted and may bypass the additional authentication step in the future.
You could use this with EmailDevice if you like. The warning is there because it’s traditional to let people reset their passwords by email, so this allows an email account to be a single point of failure. If that’s not a threat that concerns you in your particular case, then have at it. You’ll probably want to consider things like how long you want to the emailed token to be valid when deciding if EmailDevice is usable as-is or just as a reference point.
Let me know if I didn’t answer anything.
Thanks,
Peter
> You received this message because you are subscribed to the Google Groups "django-otp" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to django-otp+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages