Add support for two-factor authentication #1681
Comments
|
Great idea. I'd like to see this in Weblate. |
|
Maybe as an addition, but in my experience, U2F etc. devices are pretty widely spread, same goes for TOTP etc. I guess having webauthn is nice to have, but U2F with a password is already quite strong, webauthn just adds some convenience while retaining a high security level. |
|
U2F devices should be supported through webauthn, it is more generic browser API for authentication (at least this is my impression from that). |
|
I've seen that there is said to be some U2F downward compatibility from webauthn. I just ask you to ensure this compatibility, it seems that you need to set a few things up the right way to make it work. That said, offering TOTP/HOTP in addition helps strengthen non-expert users' security, who might not be willing to invest in a U2F/webauthn device. Sure, it's not bulletproof, but can at least prevent a few attacks. |
nijel
added
the
backlog
|
This issue has been added to backlog. It is not scheduled on our road map, but it might be eventually implemented. In case you desperately need this feature, please consider helping or funding the development. |
|
Two years later I got back to this. TOTP could be easily integrated using https://github.com/django-otp/django-otp, but this library is likely not to receive any improvements in the future. WebAuthn has is a low-level module https://pypi.org/project/webauthn/, but I could not find any reasonable Django integration. There is a bunch of modules, but none of them seems maintained and in a good shape (see django-otp/django-otp#40 for some discussion). Out of other libraries, the most promising looks https://github.com/mkalioby/django-mfa2 as it supports all we want, but it's maintenance status is not good. In the end the most reliable approach might be to build this on low-level libraries as that would easily integrate into our python-social-auth based workflow. Just for the reference, here is how this got integrated into pypi.org (they are using Flask, so it's slightly different): pypi/warehouse@59ab1f2 pypi/warehouse@6cbaf84 |
|
Generally, it seems like U2F/Webauthn is either not implemented at all in many popular Python web applications, or in a proprietary, i.e., non-portable way. It's a bit of a shame that there are no good libraries available to just integrate yet. Of course, maintaining a library can be a lot of effort. But in a framework like Django there should have been an official solution available for years. django-mfa2 actually looks quite good, there has been a release not too long ago even. I think once implemented, there is not a lot to improve on these modern auth mechanisms. The only issue might be the slightly complex integration into existing projects, but I'm quite confident you would manage to get it done. Also, it's not built on top of Webauthn but kind-of reinvents the wheel as well (at least for {T,H}OTP it seems to use a library called pyotp). I hope your implementation is either based on or ends up in a reusable solution rather than what PyPI did. |
Unfortunately, it does not. Based on quick look inside:
|
|
That's a pity. Missing tests is one thing, but then also hard-to-maintain code... and there's obviously no excuses for violating database best practices. Perhaps it's time for a proper Django webauthn module? I'm unfortunately not at all into Django... |
|
Some months later, I did another look into available libraries and found few ones which were not mentioned before:
At least kagi and django-two-factor-auth seem promising now, and we should look into them in more depth. |
|
@nijel how about we use pyotp libraries and for fallback option we genrate one time passwords and prompt user to save them in case he dosent have or lost 2fa device |
|
We definitely want WebAuthn support as well, that's why I've listed suitable integrations above. They also provide Django integration to make implementation easier. |
|
Why do you focus on pyotp? It doesn't address WebAuthn part. It doesn't have Django integration. I think one of the above referenced libraries will be a better approach than implementing everything again.
This is already present: https://docs.weblate.org/en/latest/admin/optionals.html#rate-limit
We're not really interested in obscure TOTP delivery. The only thing that makes sense to implement is TOTP with application on the user side. PS: This looks like a GSoC submission, are you aware that Weblate doesn't participate in that? |
|
ok i will work using https://github.com/jazzband/django-two-factor-auth. And i know we are not part of gsoc but i am working or similar problem for gsoc but weblate is my first open sourece library that i am part of so i thought why not add this feature to weblate |
|
2FA is quite a complex topic for a first contribution, but if you want to give it try, you're welcome. Before actually implementing anything, please post here a summary of changes you're going to make so that we can review the 2FA flow before. |
|
@nijel can you just show me location of email server and database where user personal information is stored |
|
We're using Django to access both, see https://docs.djangoproject.com/en/5.0/#the-model-layer or https://docs.djangoproject.com/en/5.0/topics/email/. |
Adding opt-in support for two-factor authentication might improve security for users. There are certainly several existing implementations for Django, the question is how they would plug into our customized python-social-auth based authentication pipeline.
Anyway it should support at least TOTP (Google Authenticator) and FIDO U2F (hardware keys).
The text was updated successfully, but these errors were encountered: