Skip to main content

multi factor authentication for django

Project description

django-mfa3

An opinionated Django app that handles multi factor authentication (MFA) via FIDO2, TOTP, and recovery codes.

Features

  • Two factor authentication is required on login (if the user has registered a key)
  • Stuff just works without much configuration
  • The UI allows to add new keys and to remove keys that have been compromised
  • You can optionally enforce MFA for all users
  • You can (and should) customize the templates
  • Simple code, few dependencies

Installation

pip install django-mfa3

Usage

  1. Add 'mfa' to INSTALLED_APPS
  2. Use mfa.views.LoginView instead of the regular login view. (Be sure to remove any other login routes, otherwise the multi factor authentication can be circumvented. The admin login will automatically be patched to redirect to the regular login.)
  3. Set MFA_DOMAIN = 'example.com' and MFA_SITE_TITLE = 'My site'. See settings.py for a full list of settings.
  4. Register URLs: path('mfa/', include('mfa.urls', namespace='mfa')
  5. The included templates are just examples, so you should replace them with your own
  6. FIDO2 requires client side code. You can either implement it yourself or use the included fido2.js (in which case you will have to provide the third party library cbor-js).
  7. Somewhere in your app, add a link to 'mfa:list'

Enforce MFA

Optionally, you can add 'mfa.middleware.MFAEnforceMiddleware' to MIDDLEWARE (after AuthenticationMiddleware!). It will force users to setup two factor authentication by redirecting all authenticated requests to 'mfa:list' as long as the user has no MFAKeys. You can use mfa.decorators.public to add exceptions.

Send email on failed login attempt

If someone failes to login on the second factor that might indicate that the first factor (password) has been compromised. django-mfa3 will automatically send a warning to affected users under the following conditions:

  • Django needs to be configured for sending email
  • There must be an email address associated with the user account
  • You need to provide some templates
    • mfa/login_failed_subject.txt: optional, a default is included
    • mfa/login_failed_email.txt: required, an example is included in the tests
    • mfa/login_failed_email.html: optional

All templates have access to the following context data: email, domain, site_name, user, method.

Status

I am not sure whether I will be able to maintain this library long-term. If you would like to help or even take ownership of this project, please contact me!

Related projects

django-mfa3 is based on pyotp and python-fido2.

It is inspired by but not otherwise affiliated with django-mfa2. A big difference between the two projects is that django-mfa2 supports many methods, while django-mfa3 only supports FIDO2 and TOTP. U2F was dropped because it is now superseded by FIDO2. Email and Trusted Devices were dropped because I felt like they have inferior security properties compared to FIDO2 and TOTP.

Another major inspiration is django-otp. It is probably the most mature library when it comes to two factor authentication in django. However, its basic structure is not compatible with FIDO2.

It is recommended to use django-mfa3 with django-axes for rate limiting. It is also compatible with django-stronghold.

Security considerations

The actual cryptography is handled by pyotp and python-fido2. This library only provides the glue code for django. Still, there could be issues in the glue.

A notable attack surface is server state: The authentication consists of three separate HTTP requests: The regular login, fetching a challenge, and a response. The server keeps some state in the session across these requests. For example, the user is temporarily stored in the session until the second factor authentication is done. The logic for handling this state is not as straight forward as I would like and there might be issues hidden in there.

Please also be careful when implementing and using this library in your project to prevent higher level security or usability issues. Please refer to other guidelines like the OWASP Cheat Sheet for more informaton on that topic.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

django_mfa3-0.13.0.tar.gz (16.6 kB view details)

Uploaded Source

Built Distribution

django_mfa3-0.13.0-py3-none-any.whl (22.7 kB view details)

Uploaded Python 3

File details

Details for the file django_mfa3-0.13.0.tar.gz.

File metadata

  • Download URL: django_mfa3-0.13.0.tar.gz
  • Upload date:
  • Size: 16.6 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/5.1.0 CPython/3.12.4

File hashes

Hashes for django_mfa3-0.13.0.tar.gz
Algorithm Hash digest
SHA256 e097819753b70232f2cff9c9991eb7b4c034930bcd6d8b14349892a88f3f23e2
MD5 096b16cb912f1903df8d8dce3af77d42
BLAKE2b-256 3b393662acf20fce040861900bf636a54b314480dd35850bdea1b33c83ddffd9

See more details on using hashes here.

File details

Details for the file django_mfa3-0.13.0-py3-none-any.whl.

File metadata

  • Download URL: django_mfa3-0.13.0-py3-none-any.whl
  • Upload date:
  • Size: 22.7 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/5.1.0 CPython/3.12.4

File hashes

Hashes for django_mfa3-0.13.0-py3-none-any.whl
Algorithm Hash digest
SHA256 71fa53ce701c65e2862a9a6154506577ca698fbf7d258e5fd97ca4b86d491cd6
MD5 139c1294ced0813c3e32b0636a7cb58d
BLAKE2b-256 20441686101a3ae99ce00b31d0e1aa7b40c2804a999ce7a79922cd74a3e2f9ff

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page