multi factor authentication for django
Project description
django-mfa3
A reusable Django app that handles multi factor authentication via FIDO2 and TOTP.
Status
I am not whether I will be able to maintain this libabry long-term. If you would like to help or even take ownership of this project, please contact me!
Installation
pip install django-mfa3
Usage
- Add
'mfa'
toINSTALLED_APPS
- Use
mfa.views.LoginView
instead of the regular login view - Set
MFA_DOMAIN = 'example.com'
andMFA_SITE_TITLE = 'My site'
- Register URLs:
path('mfa/', include('mfa.urls', namespace='mfa')
- The included templates are just examples, so you should replace them with your own.
- Somewhere in your app, add a link to
'mfa:list'
Enforce MFA
Optionally, you can add 'mfa.middleware.MFAEnforceMiddleware'
to MIDDLEWARE
(after AuthenticationMiddleware
!). It will redirect all authenticated
requests to 'mfa:list'
as long as the user has no MFAKeys. You can use
mfa.decorators.public
to add exceptions.
Related projects
django-mfa3 is based on pyotp and python-fido2. The example frontend code also uses cbor-js and qrious.
It is inspired by but not otherwise affiliated with django-mfa2. A big difference between the two projects is that django-mfa2 supports many methods, while django-mfa3 only supports FIDO2 and TOTP. U2F was dropped because it is now superseded by FIDO2. Email and Trusted Devices were dropped because I felt like they have inferior security properties compared to FIDO2 and TOTP.
Another major inspiration is django-otp. It is probably the most mature library when it comes to two factor authentication in django. However, its basic structure is not compatible with FIDO2.
It is recommended to use django-mfa3 with django-axes for rate limiting. It is also compatible with django-stronghold.
Security considerations
The actual cryptography is handled by pyotp and python-fido2. This library only provides the glue code for django. Still, there could be issues in the glue.
A notable attack surface is server state: The authentication consists of three separate HTTP requests: The regular login, fetching a challenge, and a response. The server keeps some state in the session across these requests. For example, the user is temporarily stored in the session until the second factor authentication is done. The logic for handling this state is not as straight forward as I would like and there might be issues hidden in there.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distributions
Built Distribution
Hashes for django_mfa3-0.1.0-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 149d91d54c9081446ef815e58b5859d344babeb9ac9ee5a5758f36994ca9ecd8 |
|
MD5 | e883454a610e57a8308cc1ebaa21d0d2 |
|
BLAKE2b-256 | bde66ce4a6e327872f6d345825e290dad607490ea05195ec821934c8b076826d |