Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Django Two Factor Authentication

I have recently been reading through the documentation about django-two-factor-authentication which I found here : https://django-two-factor-auth.readthedocs.io/en/stable/installation.html The documentation is great. However, I'm trying to understand the full requirements for this solution. If I implement this package, do I then need to rely on a third party to complete this solution or can two factor authentication be achieved without a third party? My primary concern is the cost associated with plugging in to third parties. If it can be avoided, obviously I'd prefer free. If it can't be avoided, does anyone have experience with any of the third party providers offering two factor authentication? I've researched Twillio a bit but I know there are others out there who perform this service as well. Thanks in advance for any input.

like image 629
Steve Smith Avatar asked Feb 27 '19 15:02

Steve Smith


People also ask

How do you use PyOTP?

To generate TOTPs using PyOTP, you need to instantiate the TOTP class of the PyOTP library and call the now method. You can proceed to validate generated tokens using the verify method. PyOTP also provides a helper library to generate secret keys to initiate the TOTP and HOTP classes.

How do I use Google Authenticator developer?

Google Authenticator Install the application and create a new account by entering the code. Name your account as you want and enter the secret generated in the previous step. Choose a time based token. Now you can see on your smartphone a 6 character long password that allows you to validate the user's identity.


1 Answers

Steve, you can implement two factor authentication in django without the use of a paid 3rd party.

You can do it by implementing the pyOTP library directly, and then having the user use the Google Authenticator app. Since it is all math there are no third party services when the code is generated or validated.

I have implemented this on a django website before. It involves setting up a OTP secret, verifying it. Then each time an auth is needed, generating the QR code for them to scan using a provisioning URI, then combining the 2FA verification with your auth. All of those steps can be done using the pyOTP library alone. (I also used the pyqrcode library to generate the scannable qr code)

If you search you can probably find some examples of people who have already built out these smaller steps in bigger libraries, like this one.

If you wanted to offer SMS based 2FA you would need to look at using Twilio. But that is perhaps a feature and not necessary.

like image 187
Rob Avatar answered Oct 19 '22 06:10

Rob