Configuration¶
General Settings¶
TWO_FACTOR_PATCH_ADMIN
(default:True
)Whether the Django admin is patched to use the default login view.
Warning
The admin currently does not enforce one-time passwords being set for admin users.
TWO_FACTOR_CALL_GATEWAY
(default:None
)Which gateway to use for making phone calls. Should be set to a module or object providing a
make_call
method. Currently two gateways are bundled:'two_factor.gateways.twilio.gateway.Twilio'
for making real phone calls using Twilio.'two_factor.gateways.fake.Fake'
for development, recording tokens to the default logger.
TWO_FACTOR_SMS_GATEWAY
(default:None
)Which gateway to use for sending text messages. Should be set to a module or object providing a
send_sms
method. Currently two gateways are bundled:'two_factor.gateways.twilio.gateway.Twilio'
for sending real text messages using Twilio.'two_factor.gateways.fake.Fake'
for development, recording tokens to the default logger.
LOGIN_URL
Should point to the login view provided by this application as described in setup. This login view handles password authentication followed by a one-time password exchange if enabled for that account. This can be a URL path or URL name as defined in the Django documentation.
See also LOGIN_URL.
LOGIN_REDIRECT_URL
This application provides a basic page for managing one’s account. This view is entirely optional and could be implemented in a custom view. This can be a URL path or URL name as defined in the Django documentation.
See also LOGIN_REDIRECT_URL.
LOGOUT_REDIRECT_URL
Should point to a view that the user is redirected to after loging out. It was added in Django 1.10, and also adapted by this application. This can be a URL path or URL name as defined in the Django documentation.
See also LOGOUT_REDIRECT_URL.
TWO_FACTOR_QR_FACTORY
The default generator for the QR code images is set to SVG. This does not require any further dependencies, however it does not work on IE8 and below. If you have PIL, Pillow or pyimaging installed you may wish to use PNG images instead.
'qrcode.image.pil.PilImage'
may be used for PIL/Pillow'qrcode.image.pure.PymagingImage'
may be used for pyimaging
For more QR factories that are available see python-qrcode.
TWO_FACTOR_TOTP_DIGITS
(default:6
)The number of digits to use for TOTP tokens, can be set to 6 or 8. This setting will be used for tokens delivered by phone call or text message and newly configured token generators. Existing token generator devices will not be affected.
Warning
The Google Authenticator app does not support 8 digit codes (see the upstream ticket). Don’t set this option to 8 unless all of your users use a 8 digit compatible token generator app.
TWO_FACTOR_LOGIN_TIMEOUT
(default600
)- The number of seconds between a user successfully passing the “authentication”
step (usually by entering a valid username and password) and them having to
restart the login flow and re-authenticate. This ensures that users can’t sit
indefinately in a state of having entered their password successfully but not
having passed two factor authentication. Set to
0
to disable. PHONENUMBER_DEFAULT_REGION
(default:None
)- The default region for parsing phone numbers. If your application’s primary audience is a certain country, setting the region to that country allows entering phone numbers without that country’s country code.
Twilio Gateway¶
To use the Twilio gateway, you need first to install the Twilio client:
$ pip install twilio
Next, add additional urls to your config:
# urls.py
from two_factor.gateways.twilio.urls import urlpatterns as tf_twilio_urls
urlpatterns = [
path('', include(tf_twilio_urls)),
...
]
Additionally, you need to enable the ThreadLocals
middleware:
MIDDLEWARE = (
...
# Always include for two-factor auth
'django_otp.middleware.OTPMiddleware',
# Include for twilio gateway
'two_factor.middleware.threadlocals.ThreadLocals',
)
-
class
two_factor.gateways.twilio.gateway.
Twilio
¶ Gateway for sending text messages and making phone calls using Twilio.
All you need is your Twilio Account SID and Token, as shown in your Twilio account dashboard.
TWILIO_ACCOUNT_SID
- Should be set to your account’s SID.
TWILIO_AUTH_TOKEN
- Should be set to your account’s authorization token.
TWILIO_CALLER_ID
- Should be set to a verified phone number. Twilio differentiates between numbers verified for making phone calls and sending text messages.
Fake Gateway¶
-
class
two_factor.gateways.fake.
Fake
¶ Prints the tokens to the logger. You will have to set the message level of the
two_factor
logger toINFO
for them to appear in the console. Useful for local development. You should configure your logging like this:LOGGING = { 'version': 1, 'disable_existing_loggers': False, 'handlers': { 'console': { 'level': 'DEBUG', 'class': 'logging.StreamHandler', }, }, 'loggers': { 'two_factor': { 'handlers': ['console'], 'level': 'INFO', } } }
Remember Browser¶
During a successful login with a token, the user may choose to remember this browser. If the same user logs in again on the same browser, a token will not be requested, as the browser serves as a second factor.
The option to remember a browser is deactived by default. Set TWO_FACTOR_REMEMBER_COOKIE_AGE to activate.
The browser will be remembered as long as
- the cookie that authorizes the browser did not expire,
- the user did not reset the password, and
- the device initially used to authorize the browser is still valid.
The browser is remembered by setting a signed ‘remember cookie’.
In order to invalidate remebered browsers after password resets, the package relies on the password field of the User model. Please consider this in case you do not use the password field e.g. [django-auth-ldap](https://github.com/django-auth-ldap/django-auth-ldap)
TWO_FACTOR_REMEMBER_COOKIE_AGE
Age in seconds to remember the browser. The remember cookie will expire after the given time interval and the server will not accept this cookie to remember this browser, user and device any longer.
If this is set to a positive int the user is presented the option to remember the browser when entering the token. If the age is None, the user must authenticate with a token option during each login, if a device is setup.
Default: None
TWO_FACTOR_REMEMBER_COOKIE_PREFIX
Prefix of the remember cookie. It prefixes a uuid4 to allow multiple remember cookies on the same browser for multiple users.
Default: ‘remember-cookie_’
TWO_FACTOR_REMEMBER_COOKIE_DOMAIN
The domain to be used when setting the remember cookie.
Only relevant if TWO_FACTOR_REMEMBER_COOKIE_AGE is not None.
Default: None
TWO_FACTOR_REMEMBER_COOKIE_PATH
The path of the remember cookie.
Only relevant if TWO_FACTOR_REMEMBER_COOKIE_AGE is not None.
Default: ‘/’
TWO_FACTOR_REMEMBER_COOKIE_SECURE
Whether the remember cookie should be secure (https:// only).
Only relevant if TWO_FACTOR_REMEMBER_COOKIE_AGE is not None.
Default: False
TWO_FACTOR_REMEMBER_COOKIE_HTTPONLY
Whether to use the non-RFC standard httpOnly flag (IE, FF3+, others)
Only relevant if TWO_FACTOR_REMEMBER_COOKIE_AGE is not None.
Default: True
TWO_FACTOR_REMEMBER_COOKIE_SAMESITE
Whether to set the flag restricting cookie leaks on cross-site requests. This can be ‘Lax’, ‘Strict’, or None to disable the flag.
Only relevant if TWO_FACTOR_REMEMBER_COOKIE_AGE is not None.
Default: ‘Lax’