Deprecate in favor of django-two-factor-auth

[xi]

I started this project in 2021 because I needed FIDO2 authentication for Django and there was no good library available. However, that changed. In January 2023, version 1.15.0 of django-two-factor-auth was released with FIDO2/WebAuthn support.

django-two-factor-auth is maintained by jazzband and much more popular than django-mfa3. So even though I like working on this library, I think it is the responsible thing to deprecate it.

Steps to do:

• review django-two-factor-auth
• contribute any features that are missing compared to django-mfa3
• document the migration process
• make a release to announce the deprecation

There is a small chance that after reviewing django-two-factor-auth I find out that the approaches are different enough so that it makes sense to keep both projects around. But honestly I don't think that will happen.

[xi]

These are notes for migration. I will update this comment as I find out more.

• add django-two-factor-auth[phonenumberslite,webauthn] as a dependency
• add the following to INSTALLED_APPS:

  'django_otp',
  'django_otp.plugins.otp_static',
  'django_otp.plugins.otp_totp',
  'two_factor',
  'two_factor.plugins.webauthn',

• add 'django_otp.middleware.OTPMiddleware' to MIDDLEWARE (after django.contrib.auth.middleware.AuthenticationMiddleware)
• set TWO_FACTOR_WEBAUTHN_RP_NAME (replaces MFA_DOMAIN)
• Register URLs: path('', include('two_factor.urls'))
• Overwrite the templates at two_factor/

Other notes

• It uses a different fido2 implementation
• forcing users to use two factor auth is not implemented
• There is about 10x the amount of python code (5000sloc), so it is much harder to review
• It is based on django-otp, even though the author of that said that there is a fundamental mismatch. I have to investigate that further.
• It uses the WizardView from formtools to implement multi-stage authentication
• For some (historic?) reason it requires phonenumbers. What is worse, it requires an outdated version.

[peppelinux]

I love django-two-factor-auth and this is the best approach for a traditional django implementation.

Unfortunately if a legavy and enterprise level authentication system preexists, based on django and with SAML2 or OAuth2 or OpenID Connect, it is more difficult to get a good integration with an MFA without huge reworking and developments impacts.

I have tested all the mature MFA libraries ready for django and I found in django-mfa3 the best code and the most flexible and impactless approach, then I have decided to use this (and helping developments as well) for my SAML2 and OpenID Connect (Identity) Providers.

simplicity is a feature, code readability is a value, quick and smart interaction with the authors is unvaluable. thank you @xi

[peppelinux]

Just to give you an example, this issue never got a formal answer https://github.com/jazzband/django-two-factor-auth/issues/641