Django Two Factor Authentication

2019-08-29 08:32发布

问题:

I have recently been reading through the documentation about django-two-factor-authentication which I found here : https://django-two-factor-auth.readthedocs.io/en/stable/installation.html The documentation is great. However, I'm trying to understand the full requirements for this solution. If I implement this package, do I then need to rely on a third party to complete this solution or can two factor authentication be achieved without a third party? My primary concern is the cost associated with plugging in to third parties. If it can be avoided, obviously I'd prefer free. If it can't be avoided, does anyone have experience with any of the third party providers offering two factor authentication? I've researched Twillio a bit but I know there are others out there who perform this service as well. Thanks in advance for any input.

回答1:

Steve, you can implement two factor authentication in django without the use of a paid 3rd party.

You can do it by implementing the pyOTP library directly, and then having the user use the Google Authenticator app. Since it is all math there are no third party services when the code is generated or validated.

I have implemented this on a django website before. It involves setting up a OTP secret, verifying it. Then each time an auth is needed, generating the QR code for them to scan using a provisioning URI, then combining the 2FA verification with your auth. All of those steps can be done using the pyOTP library alone. (I also used the pyqrcode library to generate the scannable qr code)

If you search you can probably find some examples of people who have already built out these smaller steps in bigger libraries, like this one.

If you wanted to offer SMS based 2FA you would need to look at using Twilio. But that is perhaps a feature and not necessary.



回答2:

Two-factor can work not only through SMS messages. It can be also implemented by using for example:

  • Pre-generated one-time passwords/pin codes
  • OTP/TOTP algorithm
  • email messages
  • Custom communication channel (like your own mobile app that will contact with your server and fetch login code)
  • U2F protocol (Yubikey etc)

This package supports all of those methods and even more. You can choose any of them, so there is no need to rely on a paid 3rd party SMS provider.