search

svthalia / concrexit

Thalia Website built on Django.
https://thalia.nu
Other
22 stars 12 forks source link

Add 2FA to the login flow #1858

Closed joren485 closed 8 months ago

joren485 commented 3 years ago

Describe the solution you'd like

It would be great if there was an option to add a TOTP to user accounts.

Motivation

2FA adds an extra layer of security for the users. As many people use weak passwords or reuse passwords, having the option 2FA is considered best practice.

This is security is especially important for admin and moderator users. If one of their accounts get compromised, an attacker might be able to leak/alter sensitive data. If you implement this, you might want to consider to enforce 2FA for privileged accounts.

Additional context

As a study association that (partly) focuses on digital security, I feel that it is important to follow these types of best practices.

se-bastiaan commented 3 years ago

Good option probably: https://django-two-factor-auth.readthedocs.io/

JobDoesburg commented 3 years ago

If we were to do this, I think we should directly go for FIDO(2) https://pypi.org/project/django-mfa2/

se-bastiaan commented 3 years ago

I do not particularly like that package. There are no tests, the code has no codestyle applied. (Note after I wrote this: other people agree) Not that the library I linked is perfect, since PRs do not seem to be accepted. As is also the case for django-otp which seems to be in some kind of sleep mode?

I do agree that webauthn/fido2 is a good thing, but it doesn't look like there is an easy and good way to get it in.

JobDoesburg commented 3 years ago

I do agree that webauthn/fido2 is a good thing

My main point :)

se-bastiaan commented 3 years ago

https://github.com/oliwarner/django-multifactor/ another option, basically rewritten django-mfa2. Like it more, but it requires quite some custom templates, plus we need to find a way on how to force 2FA in places.

That library wants 2FA for specific views. I'd rather have it 1 time once you login, because that won't bother the API consumers since that can be part of the OAuth process.

So:

DeD1rk commented 1 year ago

I think it would be nice to do this soon. https://django-two-factor-auth.readthedocs.io/ is popular and stable now. It also supports webauthn.

Should be simple to set up, and after that we can look into enforcing 2fa, for example (perhaps gradually) for superusers, board, active members, people with thalia pay set up.