Hi Tobias, Thanks for the feedback.
There are multiple ways to implement MFA, as you mentioned. But the goal here is to provide a simple mechanism. It's "not necessary" to cover every use case, and I believe that's where third-party packages come in. Based on a study conducted by Microsoft, a user account is "99.9% less likely to be compromised if" the user uses MFA. So, it would be beneficial to have this feature in Django. On Thursday, April 7, 2022 at 9:55:32 PM UTC+3 Tobias Bengfort wrote: > Hi Yonas, > > the best place to start is probably to look at thrid party packages, e.g.: > > https://github.com/django-otp/django-otp > https://github.com/jazzband/django-two-factor-auth > https://github.com/mkalioby/django-mfa2 > https://gitlab.com/stavros/django-webauthin > https://github.com/xi/django-mfa3 (mine) > > I am not convinced that moving this into django is the best approach > though. There is just so many ways you can do MFA/passwordless. Recovery > in particular is complex with a lot of different solutions, depending on > context. > > I also noticed that you omitted FIDO2/webauthn from your list of > protocols. It is the newest of these protocols and requires a very > different architecture, but I guess that IETF and W3C had reasons to > choose it. > > I do agree that a simple, opinionated solution in django itself could > push 2FA adaption and therefore general security on the web, which is > clearly a good thing. But I still think this works better in a third > party app such as django-mfa3. > > best, > tobias > > > On 07/04/2022 14.42, Yonas wrote: > > Hello, > > > > The idea to implement MFA (2FA) has been brought up a couple of times > > over the past years. And the community seems interested. > > > > I am willing to implement this feature (HOTP, TOTP, and email). However, > > a QR code generator is required. > > > > If someone can help with this, it would be awesome. Otherwise, what do > > you think about bringing a third-party QR code generator into core? > > > > If both options are not feasible, displaying the secret key to the user > > is another alternative (not ideal). But the developer has the freedom to > > install a third-party package and show the QR code. > > > > Best, > > Yonas > > > > -- > > You received this message because you are subscribed to the Google > > Groups "Django developers (Contributions to Django itself)" group. > > To unsubscribe from this group and stop receiving emails from it, send > > an email to django-develop...@googlegroups.com > > <mailto:django-develop...@googlegroups.com>. > > To view this discussion on the web visit > > > https://groups.google.com/d/msgid/django-developers/1d65ecc4-01a3-461e-bf72-e576a5860345n%40googlegroups.com > > > < > https://groups.google.com/d/msgid/django-developers/1d65ecc4-01a3-461e-bf72-e576a5860345n%40googlegroups.com?utm_medium=email&utm_source=footer > >. > -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/87921818-06cf-4e1e-976f-69d444edbd15n%40googlegroups.com.
