Second factor login without OTP code

[Karl Goetz]

Hi,

I'm adding 2FA using a device + service which doesn't generate a code which can be entered in to the 'OTP token' field (e.g. as found at https://bitbucket.org/psagers/django-otp/src/18157daefe593666c5ab6e98b80c1bfd6f1a53e9/django-otp/django_otp/templates/otp/admin14/login.html?at=default&fileviewer=file-view-default#login.html-42).

I'm wondering what the recommended layer to handle that is, since django_otp seems geared around a code received -> text entered -> validated workflow.

Would it be preferable to try and detect the type of device in the template and suppress the token field or would I be better off customising the validation on OTPTokenForm?

Thanks in advance,

kk

[Peter Sagerson]

As a rule, the best experience is to present device-specific UI. The forms are provided as a kind of quick and dirty generic solution, but there's no reason to be limited by them. In my own deployment, I verify authenticated users by prompting them for a specific device ("Please verify with your <b>{{device.name}}</b>.") and including a link to display a list of all of their configured devices so they can choose something else. The UI for an SMS device is slightly different than the others, since it requires requesting a code. In principle, you should be able to present any UI you want for any kind of custom device.

Thanks,

Peter

--
You received this message because you are subscribed to the Google Groups "django-otp" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-otp+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Karl Goetz]

><mailto:django-otp+...@googlegroups.com>.

>> For more options, visit https://groups.google.com/d/optout

><https://groups.google.com/d/optout>.

Hi Peter,
Thanks for explaining. I will have a go at making a custom form and template next week.

Thanks,
Kk
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.