Django phone authentication


(Kabiru Abdulhamid) #1

Hello, we need a tutorial on how to use phone number for authentication in a django app


(Chase Thompson-Baugh) #2

I really dislike when websites try to send me an authentication code via text message. Using a time-based one time password is more secure. There are several articles and pre-built libraries which will display a QR code to the end-user to use with the authenticator app of their choice. Personally, I think this would be a better topic for a tutorial.


(Md Masud Rana) #3

This is annoying but for more security to your account this is highlly recomonded @chase.tb


(Vipin Mohan R Nair) #4

I recommend google authenticator any day. The only headache is if you lost access to your device


(Vitor Freitas) #5

I’ve been using 1Password 2FA support instead of Google Authenticator lately, they have a well integrated process that will automatically copy the one-time password to your clipboard as soon as you authenticate to the service, and after you finalize the login, it will restore your clipboard contents

1password_gitlab

And if you lose your device, you can easily restore it as long as you have your master password + recovery key


(Chase Thompson-Baugh) #6

I also use 1Password for my 2FA codes. LastPass also has this feature built-in.

SMS is nice in the absence of some other method. With recent phone number porting scams, rogue cell tower spoofing, and the possibility of just not receiving the text in a low to no coverage area, an out-of-band method of obtaining your 2FA code is good security practice. As long as my phone or computer has power, I can get my code from the 1Password app or on their website.

The only thing better would be to use a hardware security key like what Google requires their employees use.


(Vitor Freitas) #7

Interesting. I was looking at those YubiKeys recently, I wanted to give it a try but I have to research more how they work, compatibility, etc

It was back when I was trying to find an alternative solution to having a 2FA app installed on my phone


(Chase Thompson-Baugh) #8

YubiKey is also good (and cheaper). Google used to use them too. They announced this year at their NEXT conference that they had switched to their own key which has more advanced phishing protection. There is also a bluetooth variant of Titan.


(Kabiru Abdulhamid) #9

you guys doesn’t really understands what I mean. let me be explicit with an example

Facebook sign-up requires email or phone number, which means a verification code will be send. and if a user uses phone number for signup he/she will be using the phone number as the user and password for logging in.

hope you understand me better


(Vitor Freitas) #10

Gotcha! We can use some service like Twilio and create a custom authentication backend. I will also check for a third-party app that provide this kind of support

The discussion deviated a little bit from the tutorial request but there was some good insights too :smiley:


(Chase Thompson-Baugh) #11

Twilio, like Vitor suggested, or Amazon SNS would be good places to start with that. SNS provides inexpensive pricing for SMS messages.


#12

Can you throw more light here. ??


(Ljudva) #13

Interesting topic indeed.

On the other side I am not a fan of SMS sign-on since giving way to much private data already. Nothing else exist on the market so go with a flow I guess.

The other option is Captcha sort of thing. Is that not enough? :wink:

Lud


(Kabiru Abdulhamid) #14

There are still regions that this is the most relevant


(Allan Stockman Rugano ) #15

As @CodeAboki said, “we” want a way to present to the user a way of receiving a 2FA code with not only 1Password/GA, but including also an SMS backend. It’s really important to have the SMS option because, here in Africa (and some other less developed countries), peoples do have mobile phones but not smart phones! Do you guys catch the difference ?

The majority of mobile money transactions done in my region is done on dumb phones. So I want a way to implement a 2FA method involving sending an sms over any “plugable” backend (Twillio, Amazon SNS, RapidPro,…Kannel) to the user when he authenticate in a Django based platform.

P.S: Here is a tutorial I wrote back then outlining how to build an SMS center


(Kabiru Abdulhamid) #16

@srugano You exactly nows my problem, I checked your tutorial and its very helpful. I wish you could be my mentor