-
-
Notifications
You must be signed in to change notification settings - Fork 3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Login using OTP sent to email #3550
Comments
Thanks for this. below is my use case and some of my own opinions. Use case: I want to send OTP on user login, redirect the user to the OTP confirmation page, verify the OTP and then send them to their dashboard (or any page I desire). Opinions:
|
I made a little PoC for a feature like this, I've pushed that here: https://github.com/pennersr/django-allauth/tree/feat-otp-login It's functional but definitely not finished. Would appreciate it if you could give it a test spin to see if this matches your use case.
|
Thank you for this. I will test it and share feedback with you. |
Hi @pennersr |
@pennersr: We would also be really interested in having this feature directly available in django-allauth. We have already adapted your PoC (thank you so much for that!) to integrate this feature into our app without having to maintain a fork of django-allauth. I'd be happy to share the diff if you are interested. A few changes that we made FYI:
|
I'm sorry but how do I test in a production site? Am using 0.61.1 for Django 4.2 |
Do this: This will install the branch with this feature. |
I would like to see this implemented in allauth. Though, I am still a bit add odds on the exact requirements. I initially envisioned this as a feature that would be turned on/off globally via the settings. But I see that @apagano-vue is using this as something that is under control of the user. @apagano-vue vue, can you please sketch how this works for your users? Also interested in what the possible UI looks like. For example, can they enable/disable this just like e.g. TOTP authentication? Any input, and any good examples of how other sites are implementing this is welcome. |
Currently, I am migrating from a custom implementation to Allauth. During this process, I discovered that email-based two-factor authentication (2FA) is not possible. Therefore, I would also like to see this feature implemented. The option for email-based 2FA should only be available if an email address is known AND the current primary email address is verified. After activation, changing the primary email address should only be possible if the "new" email address is also verified. To control the activation, I see two possible approaches:
In my view, this would lead to the following extension:
|
Hi, |
See: #2061 (comment)
TBD:
ACCOUNT_EMAIL_REQUIRED = True
-- should likely not be supported without.ACCOUNT_EMAIL_VERIFICATION = 'none'
-- at least for login/signup. When adding a secondary email we still need to verify.The text was updated successfully, but these errors were encountered: