Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support two factor auth #3523

Open
agjohnson opened this issue Jan 16, 2018 · 9 comments
Open

Support two factor auth #3523

agjohnson opened this issue Jan 16, 2018 · 9 comments

Comments

@agjohnson
Copy link
Contributor

@agjohnson agjohnson commented Jan 16, 2018

We should enable 2fa for dashboard users. I keep wanting to add site admin features to the dashboard, but then think about the security aspects of adding these features and find myself also wanting 2fa. There are some libraries that do handle a 2fa workflow for standard django logins, but i don't know if this extends to django + allauth or django + mamacas.

I'm sure we're probably in agreement of this being an important feature, but I'm not sure we can gauge the importance of 2fa for users. I'm sure community users would use a feature like this, and site admins would use this feature -- I doubt this is in high demand for commercial hosting customers though.

The following thoughts come to mind:

  • Is this too hard? Does allauth play well with a 2fa workflow?
  • Is there any reason besides complicating login that we shouldn't?
@ericholscher
Copy link
Member

@ericholscher ericholscher commented Mar 27, 2018

I'm +0 on adding it. I don't think RTD is so sensitive that we are a common attack vector. I'm much more worried about building authoring features before building something like this, unless it's simple to do with a pluggable Django app. Unless users are specifically asking for this, I don't see it as a high priority (sadly).

@agjohnson
Copy link
Contributor Author

@agjohnson agjohnson commented Mar 29, 2018

Yeah, i agree on priority here. This is a feature that i consider more important for commercial hosting, but I also haven't had any requests for this feature though.

@agjohnson
Copy link
Contributor Author

@agjohnson agjohnson commented Mar 29, 2018

Also, I think a lot of what I want to add would probably be more applicable as a django admin action instead of an on site admin only feature.

@agjohnson agjohnson removed this from the Security milestone Mar 29, 2018
@stale
Copy link

@stale stale bot commented Jan 10, 2019

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@ericholscher
Copy link
Member

@ericholscher ericholscher commented Jan 10, 2019

Accepted 👍

@dojutsu-user
Copy link
Member

@dojutsu-user dojutsu-user commented Feb 2, 2019

@agjohnson

more applicable as a django admin action instead of an on site admin only feature

I am a little confused on this line on what this means?
Also the Needed: design decision tag is removed. Can it be made clear on what needs to be done?

@MatteoGheza
Copy link

@MatteoGheza MatteoGheza commented Jan 7, 2021

Any update on this?

@ericholscher
Copy link
Member

@ericholscher ericholscher commented Jan 7, 2021

Sadly not -- we'd love to support it, but it isn't on our short term roadmap. If there is a good way to handle this via Django, we'd love to know, but I haven't found one.

@humitos
Copy link
Member

@humitos humitos commented Jan 15, 2021

Today I did quick search and I found this one https://django-allauth-2fa.readthedocs.io/en/latest/, which looks like a good candidate since it should integrate directly with our current auth system: django-allauth.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
5 participants