Since Redash dashboard might hold and access sensitive data I think another authentication factor could be useful.
My suggestion:
On first setup, the user can toggle whether its dashboard will use 2FA or not,
if selected to use 2FA each new user that is created through the dashboard will be required to generate a OTP.
(OTPs will be handles locally in database)
Authentication code will be requested along with user and password and will be verified together.
I am willing to take the challenge in a PR if possible.
Voting for this as this as redash is currently an application marked as high-risk in our infrastructure since it can directly access datastores without restriction, 2FA would greatly help.
Add two factor authentication
Since Redash dashboard might hold and access sensitive data I think another authentication factor could be useful.
My suggestion:
On first setup, the user can toggle whether its dashboard will use 2FA or not, if selected to use 2FA each new user that is created through the dashboard will be required to generate a OTP.
(OTPs will be handles locally in database)
Authentication code will be requested along with user and password and will be verified together.
I am willing to take the challenge in a PR if possible.
Technical details: