Is anyone working on a two-step login for auth? (Sometimes called two factor authentication)

[Cliff Kachinske]

If so, can you share the code?

If not, I will put it on my todo list, but there are a lot of things in front of it.

Thanks,

Cliff Kachinske

[PN]

I just implemented two-factor authentication in an app that I am working on. Unfortunately it required changing the login() method of the gluon/tools.py file directly, there was no mechanism that would allow a secondary login requirements. Is this still useful? If someone is more experienced in web2py authentication and can point me in the right direction, I can try to make a patch for it.

If there is interest, I can clean out the customer/private information from the code and upload a version somewhere.

[Massimo Di Pierro]

Very much useful. Is should go in web2py

[Michele Comitini]

@PN can you make a fork on github and create a pull request with your
modifications? I agree with Massimo that it is very useful for
web2py!

2014-04-25 4:01 GMT+02:00 Massimo Di Pierro <massimo....@gmail.com>:
> Very much useful. Is should go in web2py
>

> --
> Resources:
> - http://web2py.com
> - http://web2py.com/book (Documentation)
> - http://github.com/web2py/web2py (Source code)
> - https://code.google.com/p/web2py/issues/list (Report Issues)
> ---
> You received this message because you are subscribed to the Google Groups "web2py-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to web2py+un...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

[pallav]

Submitted the pull requests.

Source: https://github.com/web2py/web2py/pull/431

Documentation: https://github.com/mdipierro/web2py-book/pull/202

The two-step verification in this pull can be activated on a per-user basis by adding the user to a group named 'web2py Two-Step Authentication'. This string is hard-coded in the code. If a user logs in successfully with their username and password, and they are a part of this group, then the two-step functionality is enabled. The server sends an email to the user's registered email address with a random code. The user has 4 tries to enter this code before they are logged out and must enter username/password again.

Possible future enhancements:

• Add some ability to customize. Let people create their own two-step auth methods (like the extended_login functionality)
• Add TOTP based two-factor authentication instead of sending email (there is already a MOTP plugin for web2py that can be used as base)

On Wednesday, May 1, 2013 4:36:43 PM UTC-4, Cliff Kachinske wrote:

[pallav]

For anyone wondering on the status, my code causes the unit tests for web services to break. I plan on looking into it over the next couple of days.

[thehuman trashcan]

Thanks for working on this! I think it is important and look forward to implementing it.

All the best

[pallav]

Another update - submitted the fixed code as a pull request. This fixes the issue that was causing unit tests to fail. Waiting to hear back from the team.

[PN]

Update. The code is part of web2py starting at version 2.9.6