Multi-Factor Authentication #3383
Conversation
pennersr
force-pushed
the
feat-mfa
branch
3 times, most recently
from
9a79f01
to
1d1b620
Compare
|
This is very exciting, and I expect that I'll be trying to implement it. I'll note one thing for your consideration: we would like to be able to require 2FA, except when the user logs in via a SAML SSO integration, so if it were convenient to make that possible via a hook or signal or something, I know that would be helpful for what we'd like to be able to do. |
|
There are multiple ways to force users to turn on 2FA. Forcing it right away may be a bit harsh, as when the user signs in for the very first time he is immediately confronted with 2FA technicalities without having ever seen the rest of the site. So, you might want to set a deadline within which the user needs to turn it on. All in all, whatever you do/choose here is a bit project specific, so that really is up for you to decide. You could for example setup a middleware of your own that, whenever the user does not have turned on 2FA and the deadline is passed, a redirect to the 2FA setup pages take place. Also, this PR includes the concept of login stages where you can intervene in the login pipeline. So there are already multiple ways of implementing what you need. |
|
Also, wondering, wouldn't it be better to require 2FA over at the SAML Identity Provider instead, instead of within your own Django project? |
Yes, that's precisely our use-case. We want to be able to require 2FA (and in our case forcing immediate enrollment is desired), unless they are logging in with SSO where we will rely on the SSO provider to maintain those types of controls instead. |
|
sad django-allauth-2fa maintainer noises |
Introduces
allauth.mfa-- adding support for MFA.