-
-
Notifications
You must be signed in to change notification settings - Fork 447
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add U2F devices feature #215
base: master
Are you sure you want to change the base?
Conversation
Hi @vereena42 sorry for not getting back to you any sooner, but nevertheless great seeing you as a first time contributor! I'm not familiar with U2F, but I've ordered a Yubikey some years ago. I must still have it somewhere. The idea of Yubikey was nice, however I haven't found any use-case for it myself as most services I'm using don't support it. U2F seems like a device similar to Yubikey, and based on my experiences thus far I'm a bit sceptical. However support for U2F has come up a few times, so there might be others that are interested. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So going forward I think integration of U2F should be similar to Yubikey: completely optional. Further I think we should not introduce additional views, but re-use existing views. Is there a specific reason you introduced new views? And most importantly we need unit tests before any code can be merged in.
To clarify the use-case for U2F, the biggest advantage of U2F over TOTP apps and Yubico OTP is that it provides a degree of protection against phishing and makes man-in-the-middle considerably more difficult. A lot of the sites and applications that use U2F allow you to use it as an option alongside a TOTP app because U2F support on mobile is limited, but this is still makes sense because logins via U2F are protected against phishing and are much more difficult to man-in-the-middle compared to logins using the TOTP app. It's notable that Yubico acknowledges the advantages of U2F over Yubico OTP: |
I'm very much interested in this too. I'd just started writing a django-otp device plugin for U2F (https://github.com/alexsdutton/django-otp-u2f), and was looking to integrate it with django-two-factor-auth when I found this. I'd be very happy to help in making this happen. My thoughts:
|
@alexsdutton Regarding your questions;
|
This relates to django-two-factor-auth jazzband#233, jazzband#215 (and by extension jazzband#86 and others) In a broken state, I'll re visit another time (this was really just to try some ideas)
It would be very awesome if U2F would be supported. Due to the nature of the device key never leaving the U2F-device and the rising availability of NFC-capable U2F-devices, U2F-keys are getting more and more popular as a means of 2FA. Please consider integrating this soon 😸. |
I wanted to resolve #86 issue and integrate django-u2f with this project, but after investigation I realized these two projects differ too much to be integrated.
So instead I wrote code for using U2F devices in this project from scratch.
Now one can choose U2F in setup view and login with U2F. There is also new functionality in profile view - if U2F is default method one can add more than one U2F keys to their account and delete keys - after the last one is deleted two_factor auth is disabled.
Plese don't hestitate to review my code - I'm open for any advice.