Add support for two-factor authentication

[nijel]

Adding opt-in support for two-factor authentication might improve security for users. There are certainly several existing implementations for Django, the question is how they would plug into our customized python-social-auth based authentication pipeline.

Anyway it should support at least TOTP (Google Authenticator) and FIDO U2F (hardware keys).

[TheAssassin]

Great idea. I'd like to see this in Weblate.

[nijel]

These days it might be more reasonable to focus on webauhtn. There is PyWARP implementation requiring Python 3, what would be blocked by #2201

[TheAssassin]

Maybe as an addition, but in my experience, U2F etc. devices are pretty widely spread, same goes for TOTP etc. I guess having webauthn is nice to have, but U2F with a password is already quite strong, webauthn just adds some convenience while retaining a high security level.

[nijel]

U2F devices should be supported through webauthn, it is more generic browser API for authentication (at least this is my impression from that).

[TheAssassin]

I've seen that there is said to be some U2F downward compatibility from webauthn. I just ask you to ensure this compatibility, it seems that you need to set a few things up the right way to make it work.

That said, offering TOTP/HOTP in addition helps strengthen non-expert users' security, who might not be willing to invest in a U2F/webauthn device. Sure, it's not bulletproof, but can at least prevent a few attacks.

[github-actions[bot]]

This issue has been added to backlog. It is not scheduled on our road map, but it might be eventually implemented. In case you desperately need this feature, please consider helping or funding the development.

[nijel]

Two years later I got back to this.

TOTP could be easily integrated using https://github.com/django-otp/django-otp, but this library is likely not to receive any improvements in the future.

WebAuthn has is a low-level module https://pypi.org/project/webauthn/, but I could not find any reasonable Django integration. There is a bunch of modules, but none of them seems maintained and in a good shape (see https://github.com/django-otp/django-otp/issues/40 for some discussion).

Out of other libraries, the most promising looks https://github.com/mkalioby/django-mfa2 as it supports all we want, but it's maintenance status is not good.

In the end the most reliable approach might be to build this on low-level libraries as that would easily integrate into our python-social-auth based workflow.

Just for the reference, here is how this got integrated into pypi.org (they are using Flask, so it's slightly different): https://github.com/pypa/warehouse/commit/59ab1f2f1b6a0f5335ae0406120d52bce04880b6 https://github.com/pypa/warehouse/commit/6cbaf8407b371e39defd9654b6c540e468d148a2

[TheAssassin]

Generally, it seems like U2F/Webauthn is either not implemented at all in many popular Python web applications, or in a proprietary, i.e., non-portable way. It's a bit of a shame that there are no good libraries available to just integrate yet. Of course, maintaining a library can be a lot of effort. But in a framework like Django there should have been an official solution available for years. </rant>

django-mfa2 actually looks quite good, there has been a release not too long ago even. I think once implemented, there is not a lot to improve on these modern auth mechanisms. The only issue might be the slightly complex integration into existing projects, but I'm quite confident you would manage to get it done. Also, it's not built on top of Webauthn but kind-of reinvents the wheel as well (at least for {T,H}OTP it seems to use a library called pyotp).

I hope your implementation is either based on or ends up in a reusable solution rather than what PyPI did.

[nijel]

django-mfa2 actually looks quite good

Unfortunately, it does not. Based on quick look inside:

• It comes with no tests
• The code base looks ugly and contains no comments
• It uses third-party JSONField instead of using native from Django, these days it would be more reasonable to use native one
• It links two-factor model by username instead of using a foreign key

[TheAssassin]

That's a pity. Missing tests is one thing, but then also hard-to-maintain code... and there's obviously no excuses for violating database best practices.

Perhaps it's time for a proper Django webauthn module? I'm unfortunately not at all into Django...

[nijel]

Some months later, I did another look into available libraries and found few ones which were not mentioned before:

• https://github.com/gavinwahl/django-u2f switched to webauthn recently (but no TOTP and backup codes)
• https://github.com/CZ-NIC/django-fido is also webauthn (but no TOTP and backup codes)
• https://github.com/jazzband/django-two-factor-auth is getting webauthn support in https://github.com/jazzband/django-two-factor-auth/pull/408
• https://github.com/justinmayer/kagi webauthn, TOTP and backup codes
• https://github.com/oliwarner/django-multifactor webauthn and TOTP, no backup codes, fork of django-mfa2

At least kagi and django-two-factor-auth seem promising now, and we should look into them in more depth.

[Maddy0027]

@nijel how about we use pyotp libraries and for fallback option we genrate one time passwords and prompt user to save them in case he dosent have or lost 2fa device

[nijel]

We definitely want WebAuthn support as well, that's why I've listed suitable integrations above. They also provide Django integration to make implementation easier.

[Maddy0027]

otp.pdf @nijel check this if it is ok

[nijel]

Why do you focus on pyotp? It doesn't address WebAuthn part. It doesn't have Django integration. I think one of the above referenced libraries will be a better approach than implementing everything again.

Ensuring that user can only attempt to login 5 time in every minute this will to Stop brute force attacks

This is already present: https://docs.weblate.org/en/latest/admin/optionals.html#rate-limit

Implementation of TOTP code transmission mechanisms, including email and SMS delivery, ensuring secure transmission and user-friendly setup instructions.

We're not really interested in obscure TOTP delivery. The only thing that makes sense to implement is TOTP with application on the user side.

PS: This looks like a GSoC submission, are you aware that Weblate doesn't participate in that?

[Maddy0027]

ok i will work using https://github.com/jazzband/django-two-factor-auth. And i know we are not part of gsoc but i am working or similar problem for gsoc but weblate is my first open sourece library that i am part of so i thought why not add this feature to weblate

[nijel]

2FA is quite a complex topic for a first contribution, but if you want to give it try, you're welcome. Before actually implementing anything, please post here a summary of changes you're going to make so that we can review the 2FA flow before.

[Maddy0027]

@nijel can you just show me location of email server and database where user personal information is stored

[nijel]

We're using Django to access both, see https://docs.djangoproject.com/en/5.0/#the-model-layer or https://docs.djangoproject.com/en/5.0/topics/email/.