thebaron / passlib

Automatically exported from code.google.com/p/passlib
Other
0 stars 0 forks source link

add support for otp / 2-factor? #44

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
Not sure if the idea is in-scope for passlib, just wanted to keep the idea here:

What features would the enhancement add?

2factor auth (like google authenticator uses, is standardized by rfc)

first "factor" is a normal username/password check (== passlib stuff), second 
"factor" is computation of a one-time number based on a shared secret (secret 
per site and per user).

What parts of the project would this effect?

Needs adding of a little code like there:

http://stackoverflow.com/questions/8529265/google-authenticator-implementation-i
n-python

(there are also some python libraries on pypi)

Some already existing code of passlib could be (re)used in that context, like 
e.g. the random string generator - for generating the shared secret.

one issue: getting the shared secret into your (e.g. android) device is 
comfortable only by scanning some QR code (one could also type in the code, but 
that's tedious). not sure how to solve that without gettig into image 
generation business or doing requests to some google api or so. but maybe that 
part can be just left to the library user.

Original issue reported on code.google.com by Thomas.J...@gmail.com on 8 Mar 2013 at 10:41

GoogleCodeExporter commented 9 years ago
qrcode stuff can be done externally by using the "qrcode" package (which uses 
PIL to create images), so no need for that in passlib.

Original comment by Thomas.J...@gmail.com on 8 Mar 2013 at 11:43

GoogleCodeExporter commented 9 years ago
I have been trying to think where to draw the line regarding what I include in 
passlib - certainly don't want it to get so bloated it's not worth downloading 
for the 1 or 2 things a given developer needs. 

That said, I'm a big fan of GAuth / RFC6238, it's a small enough protocol, and 
it would fit in pretty nicely. I'll come back to this once the 1.7 development 
cycle gets underway.

Original comment by elic@astllc.org on 20 Mar 2013 at 4:20

GoogleCodeExporter commented 9 years ago

Original comment by elic@astllc.org on 10 Apr 2013 at 6:29

GoogleCodeExporter commented 9 years ago
Couldn't stop myself, went and started coding.

r340d014 adds a passlib.totp module, which contains lowlevel support for TOTP, 
including qrcode generation. The basic bits are there, but the module isn't 
ready for use just yet -- want to wrap everything up in a useful server-side 
storage format & api, and some other TODOs listed at top of module. 

This feature should be included in the 1.7 release.

Original comment by elic@astllc.org on 7 May 2013 at 4:51

GoogleCodeExporter commented 9 years ago
r72b36cc0471b adds what should (hopefully) be the final api for the 
``passlib.totp`` module. Have most of it covered by tests & documented, but 
there are a few edges here and there that need polishing before release. Plan 
to start using it in my own software for a bit to get some real-world testing 
before release.

Original comment by elic@astllc.org on 9 Jan 2015 at 5:41