Help Understanding MFA Implementation

[BenA-SA]

Hi all,

I saw that the django-allauth package recently introduced MFA, which is a great addition. However, I have no experience implementing MFA, and my project was generated with cookiecutter-django, so almost all of the Django-Allauth implementation I've got was generated automatically.

Could someone give me a brief explanation on how to add MFA to my project and require users to log in with MFA? Or a link to a guide explaining how to add it would be fantastic too. The actual documentation on MFA seems pretty limited so far.

Thanks for any help anyone can offer!

EDIT:
I have managed to implement MFA by following the advice in a separate discussion here, however it would be great to know how to require the user to use 2fa.

[BenA-SA]

Is anyone able to advise on this please?

[pennersr]

Requiring the user to use 2FA could be implemented in various ways. For example requiring the user to setup 2FA immediately at sign up, to limit certain functionality until 2FA is activated, to give the user a certain deadline before which 2FA should be activated, and so on. Given that there are multiple ways of tackling this requirement this is not something that is offered out of the box -- you will have to implement this yourself in your own project.

[BenA-SA]

Ok no problem, thanks for answering!

[Yembot31013]

please how can I set the issuer name for my 2FA?

[pennersr]

https://docs.allauth.org/en/latest/mfa/adapter.html#allauth.mfa.adapter.DefaultMFAAdapter.get_totp_issuer

[Yembot31013]

please I mean set the issuer name, like where I can define it globally maybe in settings.py file. Because I used cookiecutter to generate my project and the issuer name in the authenticator app is showing the name I provided when generating using cookiecutter, so please how to fix this.

[pennersr]

See: https://docs.allauth.org/en/latest/mfa/configuration.html MFA_TOTP_ISSUER

[KulovacNedim]

Hi everyone. I’m working on a project that uses Django DRF as the backend and React.js as the frontend. The setup already incorporates django-allauth for Social Login (Google) and email/password authentication.

Now, I’d like to enhance the security by integrating OTP (one-time password) functionality for user authentication. While I’ve found bits of documentation, I’m struggling to piece everything together.

Here’s what I’d like to achieve:

• Set up an OTP device for a user programmatically (e.g., during the user registration process). I’m unsure if this is natively supported by django-allauth.
• Generate a QR code that users can scan with authenticator apps (like Google Authenticator or Authy). I’ll handle the process of sending or displaying this QR code to users.
• Secure the login flow by requiring OTP validation after users successfully enter their username and password.
  I’m considering sticking to django-allauth since it supports MFA, but I wonder if other tools (like django-otp or django-allauth-2fa) would simplify this process.

Could anyone:

• Confirm if django-allauth can support OTP devices directly and whether additional libraries are necessary?
• Share examples or documentation for generating QR codes and linking them to users in the backend?

I really appreciate any insights or advice you can share. Thanks so much in advance for your help!

[pennersr]

@KulovacNedim:

Confirm if django-allauth can support OTP devices directly and whether additional libraries are necessary?

Confirmative. No additional libraries needed, see: https://docs.allauth.org/en/latest/headless/openapi-specification/#tag/Account:-2FA

Share examples or documentation for generating QR codes and linking them to users in the backend?

See https://react.demo.allauth.org/ -- it shows all of allauth, including 2FA/TOTP, using a React app. Source is here: https://codeberg.org/allauth/django-allauth/src/branch/main/examples/react-spa

[KulovacNedim]

Hey @pennersr - thanks so much for the quick response, and sorry for the delay on my end - I had to switch to another project but just got back to this today.

I totally get it, and your example is super helpful! After looking at the code, it seems like everything I need is there. The problem is, my project also depends on dj-rest-auth=7.0.0, and unfortunately, when I add django-allauth to the Pipenv file, it doesn’t bring in the headless package 🤷‍♂️

I’ve tried a few different approaches - adding it as a full package, or just as extras, and I even set allauth to 0.61.1 while keeping dj-rest-auth at 7.0.0 (or 6.0.0), but no luck. The headless package/extra just won’t install. For testing, I removed dj-rest-auth and installed allauth on its own, and that worked, but as soon as I add dj-rest-auth back in, it forces its version to 1.2, which isn’t ideal.

After more than two hours of tinkering, it looks like I may have to switch to django-otp, although I’d prefer to stick with allauth.

Thanks again for your help!

[pennersr]

my project also depends on dj-rest-auth=7.0.0

Why? When using allauth.headless that is no longer needed.

[KulovacNedim]

I saw that and it's great. However, there are two custom login views (social and email/pass) in the project extending dj-rest-auth views. The reason why they are custom is (my best guess) because they are implementing some custom logic (checking if users are invited or if the invitation is valid, and just a few email domains are allowed).

Potentially, I could extend allauth views instead of dj-rest ones, and plug in the same validation. I'm not sure, honestly

[pennersr]

I could extend allauth ...

FWIW -- requiring additional input during signup is explained here: https://docs.allauth.org/en/latest/headless/faq.html