Weblate: Add support for two-factor authentication

Great idea. I'd like to see this in Weblate.

These days it might be more reasonable to focus on webauhtn. There is PyWARP implementation requiring Python 3, what would be blocked by #2201

Maybe as an addition, but in my experience, U2F etc. devices are pretty widely spread, same goes for TOTP etc. I guess having webauthn is nice to have, but U2F with a password is already quite strong, webauthn just adds some convenience while retaining a high security level.

U2F devices should be supported through webauthn, it is more generic browser API for authentication (at least this is my impression from that).

I've seen that there is said to be some U2F downward compatibility from webauthn. I just ask you to ensure this compatibility, it seems that you need to set a few things up the right way to make it work.

That said, offering TOTP/HOTP in addition helps strengthen non-expert users' security, who might not be willing to invest in a U2F/webauthn device. Sure, it's not bulletproof, but can at least prevent a few attacks.

This issue has been added to backlog. It is not scheduled on our road map, but it might be eventually implemented. In case you desperately need this feature, please consider helping or funding the development.

Two years later I got back to this.

TOTP could be easily integrated using https://github.com/django-otp/django-otp, but this library is likely not to receive any improvements in the future.

WebAuthn has is a low-level module https://pypi.org/project/webauthn/, but I could not find any reasonable Django integration. There is a bunch of modules, but none of them seems maintained and in a good shape (see https://github.com/django-otp/django-otp/issues/40 for some discussion).

Out of other libraries, the most promising looks https://github.com/mkalioby/django-mfa2 as it supports all we want, but it's maintenance status is not good.

In the end the most reliable approach might be to build this on low-level libraries as that would easily integrate into our python-social-auth based workflow.

Just for the reference, here is how this got integrated into pypi.org (they are using Flask, so it's slightly different): https://github.com/pypa/warehouse/commit/59ab1f2f1b6a0f5335ae0406120d52bce04880b6 https://github.com/pypa/warehouse/commit/6cbaf8407b371e39defd9654b6c540e468d148a2

Generally, it seems like U2F/Webauthn is either not implemented at all in many popular Python web applications, or in a proprietary, i.e., non-portable way. It's a bit of a shame that there are no good libraries available to just integrate yet. Of course, maintaining a library can be a lot of effort. But in a framework like Django there should have been an official solution available for years. </rant>

django-mfa2 actually looks quite good, there has been a release not too long ago even. I think once implemented, there is not a lot to improve on these modern auth mechanisms. The only issue might be the slightly complex integration into existing projects, but I'm quite confident you would manage to get it done. Also, it's not built on top of Webauthn but kind-of reinvents the wheel as well (at least for {T,H}OTP it seems to use a library called pyotp).

I hope your implementation is either based on or ends up in a reusable solution rather than what PyPI did.

django-mfa2 actually looks quite good

Unfortunately, it does not. Based on quick look inside:

• It comes with no tests
• The code base looks ugly and contains no comments
• It uses third-party JSONField instead of using native from Django, these days it would be more reasonable to use native one
• It links two-factor model by username instead of using a foreign key

That's a pity. Missing tests is one thing, but then also hard-to-maintain code... and there's obviously no excuses for violating database best practices.

Perhaps it's time for a proper Django webauthn module? I'm unfortunately not at all into Django...