Hello,
I'm trying to implement email based verification of new devices used to log in. A use case would be
- I log in with a new device.
- I get prompted to verify the device via email
- I get a link in the email with a code that approves the new device
- Next time I use this device - it doesn't require this code. It may however require my password.
The threat it would mitigate is someone who guesses a password but doesn't have access to the victims email nor their physical devices.
The use case is very close to a one time password...except it would persist longer than the session life.
I reviewed the EmailDevice class. The "This is intended for demonstration purposes" warning concerns me though. Would it make sense to use this class (or extend it) for my use case? I imagine this would involve a little more - like storing a token on the device forever that allows email 2 factor auth to be bypassed.
I'd be happy to pay psagers or anyone here for some consulting work for this. It would be for an open source project and any code produced would be open sourced. Since this seems like a common use case - it might make sense to develop a drop in django app for it.