-
-
Notifications
You must be signed in to change notification settings - Fork 3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Login using OTP sent to email #3550
Comments
Thanks for this. below is my use case and some of my own opinions. Use case: I want to send OTP on user login, redirect the user to the OTP confirmation page, verify the OTP and then send them to their dashboard (or any page I desire). Opinions:
|
I made a little PoC for a feature like this, I've pushed that here: https://github.com/pennersr/django-allauth/tree/feat-otp-login It's functional but definitely not finished. Would appreciate it if you could give it a test spin to see if this matches your use case.
|
Thank you for this. I will test it and share feedback with you. |
Hi @pennersr |
@pennersr: We would also be really interested in having this feature directly available in django-allauth. We have already adapted your PoC (thank you so much for that!) to integrate this feature into our app without having to maintain a fork of django-allauth. I'd be happy to share the diff if you are interested. A few changes that we made FYI:
|
I'm sorry but how do I test in a production site? Am using 0.61.1 for Django 4.2 |
Do this: This will install the branch with this feature. |
I would like to see this implemented in allauth. Though, I am still a bit add odds on the exact requirements. I initially envisioned this as a feature that would be turned on/off globally via the settings. But I see that @apagano-vue is using this as something that is under control of the user. @apagano-vue vue, can you please sketch how this works for your users? Also interested in what the possible UI looks like. For example, can they enable/disable this just like e.g. TOTP authentication? Any input, and any good examples of how other sites are implementing this is welcome. |
Currently, I am migrating from a custom implementation to Allauth. During this process, I discovered that email-based two-factor authentication (2FA) is not possible. Therefore, I would also like to see this feature implemented. The option for email-based 2FA should only be available if an email address is known AND the current primary email address is verified. After activation, changing the primary email address should only be possible if the "new" email address is also verified. To control the activation, I see two possible approaches:
In my view, this would lead to the following extension:
|
Hi, |
@Okan0 Thanks for the detailed sketch. I am wondering if presenting this option as a user configurable 2FA option is the right solution. The issue is that the email is actually not a true second factor, and presenting it in the 2FA overview can wrongly give the user the impression that this is just as secure as enabling e.g. TOTP. Your password can be reset by having ownership of the email address, so the password and a code sent by email are actually the same factor.
@josylad -- do people realize that this is not real 2FA ? To scope this ticket, we're moving forward with the way of working as presented in the initial proof of concept, which is what several projects have already integrated in one way or the other. So, basically that would match what is outlined here: #3550 (comment) |
Hi @pennersr -- Well, people see it as the same as text or phone OTP, and to some extent, it provides some form of 2FA security. Your initial PoC works well, so you can move forward with that. |
See: #2061 (comment)
TBD:
ACCOUNT_EMAIL_REQUIRED = True
-- should likely not be supported without.ACCOUNT_EMAIL_VERIFICATION = 'none'
-- at least for login/signup. When adding a secondary email we still need to verify.The text was updated successfully, but these errors were encountered: