takahe icon indicating copy to clipboard operation
takahe copied to clipboard

Published 20 hours ago verified publisher icon jointakahe

Add 2FA

Open foozmeat opened this issue 2 years ago • 6 comments

It would be nice to be able to enforce it server-wide.

foozmeat avatar Jan 11 '23 00:01 foozmeat

Agreed - this has been on my mental list for a while. I think my current position is TOTP and Webauthn only, SMS two factor would need more provider integration and also isn't amazing anyway.

andrewgodwin avatar Jan 11 '23 00:01 andrewgodwin

+1 to Webauthn

foozmeat avatar Jan 11 '23 00:01 foozmeat

There's a Django package for that: Kagi Kagi provides support for FIDO WebAuthn security keys and TOTP tokens in Django. https://github.com/justinmayer/kagi

pauloxnet avatar Jan 11 '23 17:01 pauloxnet

+1 and also consider supporting Passkey/WebauthN only login, where passwords aren't collected or allowed. I would love to have a switch where passwords aren't a concern anymore.

tabletcorry avatar Jan 15 '23 22:01 tabletcorry

Good idea @tabletcorry, though we'd need a new reset flow for that situation so you could get back in.

andrewgodwin avatar Jan 15 '23 23:01 andrewgodwin

Nod, I think emails would still be attached to the user so the "password reset flow" would become a "add a new passkey" flow when appropriate. Hard to replace email as a core root of identity...

Though for a single-user instance, turning off that flow might be a decent switch since losing a passkey is pretty hard, and some users might want to keep their email quiet (assuming we provide a UPDATE statement they can run on the DB).

tabletcorry avatar Jan 15 '23 23:01 tabletcorry