Opened 9 years ago
Last modified 13 months ago
#25612 assigned New feature
django.contrib.auth should include support for 2fa out of the box
Reported by: | Alex Gaynor | Owned by: | theExplorer |
---|---|---|---|
Component: | contrib.auth | Version: | dev |
Severity: | Normal | Keywords: | |
Cc: | Alex Gaynor, moritz.sichert@…, dheeru.rathor14@…, emorley@…, m.levental@…, justinmayer, Tom Carrick | Triage Stage: | Accepted |
Has patch: | no | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
Django did a tremendous service to its users by making strong password hashing be the default. The world is pushing forward, and now 2fa is the next standard that many sites fail to meet.
Django should include support for 2fa out of the box, ideally with support for both u2f and TOTP (Google Authenticator).
Change History (12)
comment:1 by , 9 years ago
Triage Stage: | Unreviewed → Someday/Maybe |
---|
comment:2 by , 9 years ago
Triage Stage: | Someday/Maybe → Accepted |
---|
The reception on the mailing list has been positive.
comment:3 by , 9 years ago
Cc: | added |
---|
comment:4 by , 9 years ago
Cc: | added |
---|
comment:5 by , 9 years ago
Cc: | added |
---|
comment:6 by , 8 years ago
Cc: | added |
---|---|
Owner: | changed from | to
Status: | new → assigned |
comment:7 by , 8 years ago
It should be distinguishable if a user is authenticated with 1 factor or 2, e.g. for checking if the user is already authenticated with the required number of factors so relogging can be omitted. Therefore a field like is_two_factor_authenticated
can be added to the User
model.
But then it would be unclear whether the existing field is_authenticated
means the user is authenticated with 1 or 2 factors.
To find that out one would have to additionally check for the value of is_two_factor_authenticated
and this would be cumbersome.
For convenience another field like is_one_factor_authenticated
could be introduced. And to make is_authenticated
behave correctly it should return True
if either is_one_factor_authenticated
or is_two_factor_authenticated
is True
.
What are your thoughts on that?
comment:8 by , 8 years ago
It would be better to put together a proposal and and post it on the DevelopersMailingList. That reaches a wider audience that the few people following the ticket.
comment:9 by , 7 years ago
Owner: | removed |
---|---|
Status: | assigned → new |
comment:10 by , 3 years ago
Owner: | set to |
---|---|
Status: | new → assigned |
comment:11 by , 2 years ago
Cc: | added |
---|
comment:12 by , 13 months ago
Cc: | added |
---|
django-developers discussion.