search

pennersr / django-allauth

Integrated set of Django applications addressing authentication, registration, account management as well as 3rd party (social) account authentication.
https://allauth.org
MIT License
9.37k stars 3.01k forks source link

MFA Feature Request: Method to check if user authenticated via MFA #3537

Closed dwasyl closed 9 months ago

dwasyl commented 9 months ago

In migrating over from django-otp-based MFA, one feature that existed there is an is_verified function on the request.user model as a way of checking that a particular User authenticated with their MFA key.

This is a handy security feature/validation for sites that might have multiple entry points or have not enabled MFA on particular login screens (i.e. admin).

In django-otp world, it comes from a middleware module.

Clearly a bad practice not to have MFA on every single login, but it happens and having some way of validating that a user did in fact use MFA to login is handy rather than just assuming they did if they have an device configured.

pennersr commented 9 months ago

This is now supported via e39aed5e -- authentication methods used are all recorded:

https://github.com/pennersr/django-allauth/blob/main/allauth/account/authentication.py#L7

dwasyl commented 9 months ago

That's great, thanks for making that work so elaborately and so well.