Hi Joe, uff you are bringing up a hard topic :) Yes I absolutely would like Django to have better support for WebAuth (u2f-like tokens at least), and probably another one or two (I'd keep the scope for support in Django small though once we know that the API works).
Getting this actually implemented might be a different story though. I am imaging quite a bit of work and effort. I think a first step would be to spec required features out a bit and then start working on a DEP. Probably raise some money along the way, because I imagine this to be a rather big project -- but the support is certainly there! Cheers, Florian On Friday, April 5, 2019 at 1:17:31 PM UTC+2, Johannes Hoppe wrote: > > Hi there, > > I wanted to start a longer discussion on authentication. I have been > looked a lot into alternative Django authentication backends, to see what > ideas people have come up with. Sadly, I also discovered may security > issues while reviewing some prominent packages. Anyhow, Django started out > with username and password, which for the time being was a good idea I > guess. Looking forward, I believe it is a good time to reevaluate that > concept for the decade to come. > > There have been plenty new developments, 2FA, OAUTH2, SAML, OpenId > (connect), OTP and the list goes on. Many of them even made it into proper > standards and have been adopted in soft- and hardware. > > I think to get the discussion into the right direction, we first need to > figure out, what Django is supposed to provide. > > IMHO Django should provide a secure and simple (for developers) out of the > box solution. That allows anyone who doesn't hold a Phd in crypto science > to build a secure web service. > As anything in Django, it should be extendable or swappable for more > advanced use cases and there should be plenty well written documentation on > how to do that securely. > > With that idea in mind, I see a personal problem with password. Passwords > have been proven to not be secure, mostly because people are using it > wrong. 123456 is still the most commonly used password. So it is not > strange to me, that everyone is looking for different authentication > methods and developers use different authentication backends. I actually > haven't used Django password authentication in the last 5 years and there > are other like me, I presume. Out of that demand people even started > building their own authentication backends. This is the point where I > wished everyone had a Phd in crypto science. Bottom line, you end up with > many unsecure services. The very thing Django should be good at, by my > definition earlier on. > > Anyhow, I am curious what your thoughts on this matter are. Mainly what > you believe Django's place in all this is and how this could be implemented. > > Best > -Joe > -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To post to this group, send email to django-developers@googlegroups.com. Visit this group at https://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/a34ba83c-d52b-4755-b6ea-afc3ac82c5da%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
