-
Notifications
You must be signed in to change notification settings - Fork 12
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add 2FA to the login flow #1858
Comments
Good option probably: https://django-two-factor-auth.readthedocs.io/ |
If we were to do this, I think we should directly go for FIDO(2) https://pypi.org/project/django-mfa2/ |
I do not particularly like that package. There are no tests, the code has no codestyle applied. (Note after I wrote this: other people agree) I do agree that webauthn/fido2 is a good thing, but it doesn't look like there is an easy and good way to get it in. |
My main point :) |
https://github.com/oliwarner/django-multifactor/ another option, basically rewritten django-mfa2. Like it more, but it requires quite some custom templates, plus we need to find a way on how to force 2FA in places. That library wants 2FA for specific views. I'd rather have it 1 time once you login, because that won't bother the API consumers since that can be part of the OAuth process. So:
|
I think it would be nice to do this soon. https://django-two-factor-auth.readthedocs.io/ is popular and stable now. It also supports webauthn. Should be simple to set up, and after that we can look into enforcing 2fa, for example (perhaps gradually) for superusers, board, active members, people with thalia pay set up. |
Describe the solution you'd like
It would be great if there was an option to add a TOTP to user accounts.
Motivation
2FA adds an extra layer of security for the users. As many people use weak passwords or reuse passwords, having the option 2FA is considered best practice.
This is security is especially important for admin and moderator users. If one of their accounts get compromised, an attacker might be able to leak/alter sensitive data. If you implement this, you might want to consider to enforce 2FA for privileged accounts.
Additional context
As a study association that (partly) focuses on digital security, I feel that it is important to follow these types of best practices.
The text was updated successfully, but these errors were encountered: