Security News
Supply Chain Attack Detected in Solana's web3.js Library
A supply chain attack has been detected in versions 1.95.6 and 1.95.7 of the popular @solana/web3.js library.
A Django app that handles MFA, it supports TOTP, U2F, FIDO2 U2F (Web Authn), Email Tokens , Trusted Devices and backup codes.
Web Authencation API (WebAuthn) is state-of-the art techology that is expected to replace passwords.
For FIDO2, the following are supported
Update: Dec 2022, krypt.co has been killed by Google for Passkeys.
In English :), It allows you to verify the user by security keys on PC, Laptops or Mobiles, Windows Hello (Fingerprint, PIN) on Windows 10 Build 1903+ (May 2019 Update) Touch/Face ID on Macbooks (Chrome, Safari), Touch/Face ID on iPhone and iPad and Fingerprint/Face/Iris/PIN on Android Phones.
Trusted device is a mode for the user to add a device that doesn't support security keys like Android without fingerprints or NFC.
Note: U2F and FIDO2 can only be served under secure context (https)
Package tested with Django 1.8, Django 2.2 on Python 2.7 and Python 3.5+ but it was not checked with any version in between but open for issues.
If you just need WebAuthn and Passkeys, you can use django-passkeys, which is a slim-down of this app and much easier to integrate.
Depends on
using pip
For Django >= 4.0
pip install django-mfa2
For Django < 4.0
pip install django-mfa2 jsonfield
Using Conda forge
conda config --add channels conda-forge
conda install django-mfa2
For more info, see the conda-forge repo (https://github.com/conda-forge/django-mfa2-feedstock)
Thanks for swainn for adding package to conda-forge
in your settings.py add the application to your installed apps
INSTALLED_APPS=(
'......',
'mfa',
'......')
Collect Static Files
python manage.py collectstatic
Add the following settings to your file
from django.conf.global_settings import PASSWORD_HASHERS as DEFAULT_PASSWORD_HASHERS #Preferably at the same place where you import your other modules
MFA_UNALLOWED_METHODS=() # Methods that shouldn't be allowed for the user e.g ('TOTP','U2F',)
MFA_LOGIN_CALLBACK="" # A function that should be called by username to login the user in session
MFA_RECHECK=True # Allow random rechecking of the user
MFA_REDIRECT_AFTER_REGISTRATION="mfa_home" # Allows Changing the page after successful registeration
MFA_SUCCESS_REGISTRATION_MSG = "Go to Security Home" # The text of the link
MFA_RECHECK_MIN=10 # Minimum interval in seconds
MFA_RECHECK_MAX=30 # Maximum in seconds
MFA_QUICKLOGIN=True # Allow quick login for returning users by provide only their 2FA
MFA_ALWAYS_GO_TO_LAST_METHOD = False # Always redirect the user to the last method used to save a click (Added in 2.6.0).
MFA_RENAME_METHODS={} #Rename the methods in a more user-friendly way e.g {"RECOVERY":"Backup Codes"} (Added in 2.6.0)
MFA_HIDE_DISABLE=('FIDO2',) # Can the user disable his key (Added in 1.2.0).
MFA_OWNED_BY_ENTERPRISE = False # Who owns security keys
PASSWORD_HASHERS = DEFAULT_PASSWORD_HASHERS # Comment if PASSWORD_HASHER already set in your settings.py
PASSWORD_HASHERS += ['mfa.recovery.Hash']
RECOVERY_ITERATION = 350000 #Number of iteration for recovery code, higher is more secure, but uses more resources for generation and check...
TOKEN_ISSUER_NAME="PROJECT_NAME" #TOTP Issuer name
U2F_APPID="https://localhost" #URL For U2F
FIDO_SERVER_ID=u"localehost" # Server rp id for FIDO2, it is the full domain of your project
FIDO_SERVER_NAME=u"PROJECT_NAME"
import mfa
MFA_FIDO2_RESIDENT_KEY = mfa.ResidentKey.DISCOURAGED # Resident Key allows a special User Handle
MFA_FIDO2_AUTHENTICATOR_ATTACHMENT = None # Let the user choose
MFA_FIDO2_USER_VERIFICATION = None # Verify User Presence
MFA_FIDO2_ATTESTATION_PREFERENCE = mfa.AttestationPreference.NONE
MFA_ENFORCE_EMAIL_TOKEN = False # If you want the user to receive OTP by email without enrolling, if this the case, the system admins shall make sure that emails are valid.
MFA_SHOW_OTP_IN_EMAIL_SUBJECT = False #If you like to show the OTP in the email subject
MFA_OTP_EMAIL_SUBJECT= "OTP" # The subject of the email after the token
Method Names
Notes:
MFA_SUCCESS_REGISTRATION_MSG
& MFA_REDIRECT_AFTER_REGISTRATION
MFA_ALWAYS_GO_TO_LAST_METHOD
, MFA_RENAME_METHODS
, MFA_ENFORCE_RECOVERY_METHOD
& RECOVERY_ITERATION
MFA_FIDO2_RESIDENT_KEY
, MFA_FIDO2_AUTHENTICATOR_ATTACHMENT
, MFA_FIDO2_USER_VERIFICATION
, MFA_FIDO2_ATTESTATION_PREFERENCE
MFA_ENFORCE_EMAIL_TOKEN
, MFA_SHOW_OTP_IN_EMAIL_SUBJECT
, MFA_OTP_EMAIL_SUBJECT
Break your login function
Usually your login function will check for username and password, log the user in if the username and password are correct and create the user session, to support mfa, this has to change
def login(request): # this function handles the login form POST
user = auth.authenticate(username=username, password=password)
if user is not None: # if the user object exist
from mfa.helpers import has_mfa
res = has_mfa(username = username,request=request) # has_mfa returns false or HttpResponseRedirect
if res:
return res
return log_user_in(request,username=user.username)
#log_user_in is a function that handles creatung user session, it should be in the setting file as MFA_CALLBACK
Add mfa to urls.py
import mfa
import mfa.TrustedDevice
urls_patterns= [
'...',
url(r'^mfa/', include('mfa.urls')),
url(r'devices/add$', mfa.TrustedDevice.add,name="mfa_add_new_trusted_device"), # This short link to add new trusted device
'....',
]
Provide mfa_auth_base.html
in your templates with block called 'head' and 'content', The template will be included during the user login, the template shall be close to the login template.
If you will use Email Token method, then you have to provide template named mfa_email_token_template.html
that will content the format of the email with parameter named user
and otp
.
To match the look and feel of your project, MFA includes base.html
but it needs blocks named head
& content
to added its content to it.
Note: Starting v2.3.0, a new template mfa_base.html
is introduced, this template is used by MFA.html
so you can control the styling better and current mfa_base.html
extends base.html
Somewhere in your app, add a link to 'mfa_home'
<li><a href="{% url 'mfa_home' %}">Security</a> </li>
For Example, See 'example' app and look at EXAMPLE.md to see how to set it up.
To be able to go passwordless for returning users, create a cookie named 'base_username' containing username as shown in snippet below
response = render(request, 'Dashboard.html', context))
if request.session.get("mfa",{}).get("verified",False) and getattr(settings,"MFA_QUICKLOGIN",False):
if request.session["mfa"]["method"]!="Trusted Device":
response.set_cookie("base_username", request.user.username, path="/",max_age = 15*24*60*60)
return response
Second, update the GET part of your login view
if "mfa" in settings.INSTALLED_APPS and getattr(settings,"MFA_QUICKLOGIN",False) and request.COOKIES.get('base_username'):
username=request.COOKIES.get('base_username')
from mfa.helpers import has_mfa
res = has_mfa(username = username,request=request,)
if res: return res
## continue and return the form.
Sometimes you like to verify that the user is still there so simple you can ask django-mfa2 to check that for you
{% include 'mfa_check.html' %}
function success_func() {
//logic if mfa check succeeds
}
function fail_func() {
//logic if mfa check fails
}
function some_func() {
recheck_mfa(success_func,fail_func,MUST_BE_MFA)
//MUST_BE_MFA true or false, if the user must has with MFA
}
To report a security vulnerability, please use the Tidelift security contact. Tidelift will coordinate the fix and disclosure.
FAQs
Allows user to add 2FA to their accounts
We found that django-mfa2 demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
A supply chain attack has been detected in versions 1.95.6 and 1.95.7 of the popular @solana/web3.js library.
Research
Security News
A malicious npm package targets Solana developers, rerouting funds in 2% of transactions to a hardcoded address.
Security News
Research
Socket researchers have discovered malicious npm packages targeting crypto developers, stealing credentials and wallet data using spyware delivered through typosquats of popular cryptographic libraries.