Password-less authentication with django-mfa2

Question

Password-less authentication with django-mfa2

Sirneij opened this issue 3 years ago · 5 comments

I need a password-less system, registration should only require some special alphanumeric characters as username and surname as display name. Clicking register should bring up the platform's fingerprint scanner and touching it should send the hashed challenge as well as the username and display name to the database for storage. Then, users whose credentials have been saved can login with only their username and fingerprint. No password in the entire process. I have implemented this with DUO lab's webauthn but it supports fewer attestation formats and I need to support all attestation formats including tpm, android-safetynet, and apple.

Can I have a concrete example of django-mfa2 with this flow and requirement? No password in the entire process.

@mkalioby

Answer 1 · 2021-05-24T06:25:05.000Z

Easy, you create the registration form on 2 steps, the first one the user fills in his info and you create the user in the Database, authenticate the user, and redirect to 'fido2_begin_reg' which will invoke the webauthn API in the browser so the user will complete the registration of his token, and you can save the base_username cookie in the first phase so that the user is asked directly for the token.

Hope it works.

Answer 2 · 2021-05-24T06:47:47.000Z

@mkalioby please, can you make a skeletal but concrete example of these steps?

Answer 3 · 2021-05-24T06:51:41.000Z

You can start and I can help as really I don't have the time for it.

Answer 4 · 2021-05-24T07:36:30.000Z

Okay. I will send in the link soon

Answer 5 · 2021-05-24T09:31:51.000Z

@mkalioby This is the link to the repo django-mfa2-example. Regirecting to fido2_begin_reg downloads one file like that and nothing else.