Open as-kholin opened 4 years ago
It is a very good point. And a PR will be really appreciated! :)
There's already a Django library https://github.com/Bouke/django-two-factor-auth (MIT Licensed) that you could use that has everything that you would want for this issue. I can implement this and make a PR if it's acceptable to use this 3rd party library.
Of course we can use 3rd party lib. We are using a ton of them. :)
Yes a PR will be very welcome!
Checking back on this, is there any way a non-technical person can help?
For various (good) reasons, Octoprint is recommended to not be made available directly on the Internet (unless compensating controls are added). Especially with tunneling, if someones TSD account gets hacked, then they have effectively done just that. Not saying that TSD does not add some security, only that people being people, chances are this will happen to at least some due to poor password management procedures.
While we cannot prevent that entirely, we can make it materially harder to occur by allowing (or possibly, in the case of tunneling, requiring) 2-Factor Authentication/Multi-factor Authentication.
Request enhancement to add at least TOTP (Google Authenticator, Twilio Authy, etc), possibly including some other 2FA mechanisms (U2F, FIDO2, Yubikey, etc). Defer to others if any sort of SMS auth is worth considering, given criticisms of this route vs. ubiquity.