add support for otp / 2-factor?

Issue #44 resolved
Former user created an issue

(Imported from Google Code)

Thomas.J.Waldmann wrote:

Not sure if the idea is in-scope for passlib, just wanted to keep the idea here:

What features would the enhancement add?

2factor auth (like google authenticator uses, is standardized by rfc)

first "factor" is a normal username/password check (== passlib stuff), second "factor" is computation of a one-time number based on a shared secret (secret per site and per user).

What parts of the project would this effect?

Needs adding of a little code like there:

http://stackoverflow.com/questions/8529265/google-authenticator-implementation-in-python

(there are also some python libraries on pypi)

Some already existing code of passlib could be (re)used in that context, like e.g. the random string generator - for generating the shared secret.

one issue: getting the shared secret into your (e.g. android) device is comfortable only by scanning some QR code (one could also type in the code, but that's tedious). not sure how to solve that without gettig into image generation business or doing requests to some google api or so. but maybe that part can be just left to the library user.

Comments (7)

  1. Former user Account Deleted

    (Imported from Google Code)

    Thomas.J.Waldmann wrote:

    qrcode stuff can be done externally by using the "qrcode" package (which uses PIL to create images), so no need for that in passlib.

  2. Eli Collins repo owner

    (Imported from Google Code)

    I have been trying to think where to draw the line regarding what I include in passlib - certainly don't want it to get so bloated it's not worth downloading for the 1 or 2 things a given developer needs.

    That said, I'm a big fan of GAuth / RFC6238, it's a small enough protocol, and it would fit in pretty nicely. I'll come back to this once the 1.7 development cycle gets underway.

  3. Eli Collins repo owner
    • changed status to open
    • changed Milestone to 1.7

    (Imported from Google Code)

    Couldn't stop myself, went and started coding.

    r340d014 adds a passlib.totp module, which contains lowlevel support for TOTP, including qrcode generation. The basic bits are there, but the module isn't ready for use just yet -- want to wrap everything up in a useful server-side storage format & api, and some other TODOs listed at top of module.

    This feature should be included in the 1.7 release.

  4. Eli Collins repo owner

    (Imported from Google Code)

    r72b36cc0471b adds what should (hopefully) be the final api for the passlib.totp module. Have most of it covered by tests & documented, but there are a few edges here and there that need polishing before release. Plan to start using it in my own software for a bit to get some real-world testing before release.

  5. Eli Collins repo owner

    As of rev d52c362, TOTP functionality & documentation is pretty well complete.

    There may be some minor adjustments before release, but closing this issue.

  6. Log in to comment