Opened 3 years ago

Last modified 15 months ago

#25612 new New feature

django.contrib.auth should include support for 2fa out of the box

Reported by: Alex Gaynor Owned by:
Component: contrib.auth Version: master
Severity: Normal Keywords:
Cc: Alex Gaynor, moritz.sichert@…, dheeru.rathor14@…, emorley@…, m.levental@… Triage Stage: Accepted
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no


Django did a tremendous service to its users by making strong password hashing be the default. The world is pushing forward, and now 2fa is the next standard that many sites fail to meet.

Django should include support for 2fa out of the box, ideally with support for both u2f and TOTP (Google Authenticator).

Change History (9)

comment:1 Changed 3 years ago by Tim Graham

Triage Stage: UnreviewedSomeday/Maybe

django-developers discussion.

comment:2 Changed 3 years ago by Tim Graham

Triage Stage: Someday/MaybeAccepted

The reception on the mailing list has been positive.

comment:3 Changed 3 years ago by Moritz Sichert

Cc: moritz.sichert@… added

comment:4 Changed 3 years ago by Dheerendra Rathor

Cc: dheeru.rathor14@… added

comment:5 Changed 2 years ago by Ed Morley

Cc: emorley@… added

comment:6 Changed 2 years ago by mlevental

Cc: m.levental@… added
Owner: changed from nobody to mlevental
Status: newassigned

comment:7 Changed 22 months ago by mlevental

It should be distinguishable if a user is authenticated with 1 factor or 2, e.g. for checking if the user is already authenticated with the required number of factors so relogging can be omitted. Therefore a field like is_two_factor_authenticated can be added to the User model.

But then it would be unclear whether the existing field is_authenticated means the user is authenticated with 1 or 2 factors.
To find that out one would have to additionally check for the value of is_two_factor_authenticated and this would be cumbersome.
For convenience another field like is_one_factor_authenticated could be introduced. And to make is_authenticated behave correctly it should return True if either is_one_factor_authenticated or is_two_factor_authenticated is True.

What are your thoughts on that?

comment:8 Changed 22 months ago by Tim Graham

It would be better to put together a proposal and and post it on the DevelopersMailingList. That reaches a wider audience that the few people following the ticket.

comment:9 Changed 15 months ago by mlevental

Owner: mlevental deleted
Status: assignednew
Note: See TracTickets for help on using tickets.
Back to Top