Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Deprecate in favor of django-two-factor-auth #19

Open
xi opened this issue May 6, 2023 · 3 comments
Open

Deprecate in favor of django-two-factor-auth #19

xi opened this issue May 6, 2023 · 3 comments

Comments

@xi
Copy link
Owner

xi commented May 6, 2023

I started this project in 2021 because I needed FIDO2 authentication for Django and there was no good library available. However, that changed. In January 2023, version 1.15.0 of django-two-factor-auth was released with FIDO2/WebAuthn support.

django-two-factor-auth is maintained by jazzband and much more popular than django-mfa3. So even though I like working on this library, I think it is the responsible thing to deprecate it.

Steps to do:

  • review django-two-factor-auth
  • contribute any features that are missing compared to django-mfa3
  • document the migration process
  • make a release to announce the deprecation

There is a small chance that after reviewing django-two-factor-auth I find out that the approaches are different enough so that it makes sense to keep both projects around. But honestly I don't think that will happen.
@xi
Copy link
Owner Author

xi commented Aug 30, 2023
edited
Loading

These are notes for migration. I will update this comment as I find out more.

  • add django-two-factor-auth[phonenumberslite,webauthn] as a dependency
  • add the following to INSTALLED_APPS: 
    'django_otp',
'django_otp.plugins.otp_static',
'django_otp.plugins.otp_totp',
'two_factor',
'two_factor.plugins.webauthn',
  • add 'django_otp.middleware.OTPMiddleware' to MIDDLEWARE (after django.contrib.auth.middleware.AuthenticationMiddleware)
  • set TWO_FACTOR_WEBAUTHN_RP_NAME (replaces MFA_DOMAIN)
  • Register URLs: path('', include('two_factor.urls'))
  • Overwrite the templates at two_factor/

Other notes

  • It uses a different fido2 implementation
  • forcing users to use two factor auth is not implemented
  • There is about 10x the amount of python code (5000sloc), so it is much harder to review
  • It is based on django-otp, even though the author of that said that there is a fundamental mismatch. I have to investigate that further.
  • It uses the WizardView from formtools to implement multi-stage authentication
  • For some (historic?) reason it requires phonenumbers. What is worse, it requires an outdated version.

@peppelinux
Copy link

peppelinux commented Dec 15, 2023
edited
Loading

I love django-two-factor-auth and this is the best approach for a traditional django implementation.

Unfortunately if a legavy and enterprise level authentication system preexists, based on django and with SAML2 or OAuth2 or OpenID Connect, it is more difficult to get a good integration with an MFA without huge reworking and developments impacts.

I have tested all the mature MFA libraries ready for django and I found in django-mfa3 the best code and the most flexible and impactless approach, then I have decided to use this (and helping developments as well) for my SAML2 and OpenID Connect (Identity) Providers.

simplicity is a feature, code readability is a value, quick and smart interaction with the authors is unvaluable.
thank you @xi

@peppelinux
Copy link

Just to give you an example, this issue never got a formal answer
jazzband/django-two-factor-auth#641

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@xi @peppelinux