How to setup 2FA in Django admin?
Introduction
Cybersecurity has emerged as one of the most significant concerns for organizations. Attacks and security breaches can have severe repercussions, both financially and reputation-wise. Administrative interfaces are particularly vulnerable, where unauthorized access can lead to the modification or extraction of critical data. The Django admin panel, although robust and secure by design, is not immune to these threats.
Access based solely on a password is no longer adequate. Passwords, even if they’re complex, can be compromised, often due to social engineering tactics, brute-force attacks, or simple human oversights. This is where Two-Factor Authentication (2FA) comes into play, adding an additional layer of security that goes beyond the mere password.
In this article, we will look at how to implement 2FA in the Django admin panel, a crucial measure to strengthen security and safeguard the integrity of our systems.
Disclaimer:
In this article, we assume that you manage your project’s dependencies with Poetry. If you want to know more about Poetry, you can read this article “Poetry: Order in the Chaos of Python”
Let’s go!
To implement 2FA, we will use django-otp . It is an extension for Django that provides support for one-time password authentication OTP (One-Time Password)
Step 1: Install dependencies
The qrcode extension will allow us to generate a QR code that can be scanned from the application you use to manage tokens, such as Google Authenticator, for example
poetry add django-otp qrcodeStep 2: Configure settings.py
As usual, you should add this to your settings.py file:
INSTALLED_APPS = (
...
'django_otp',
'django_otp.plugins.otp_totp',
'django_otp.plugins.otp_static',
...
)
MIDDLEWARE = (
...
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django_otp.middleware.OTPMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
...
)In middleware, you only need to add the line django_otp.middleware.OTPMiddleware.
Step 3: deploy changes in database
Run this:
py manage.py migrateYou should look something like that:
Operations to perform:
Apply all migrations: admin, auth, contenttypes, manager, otp_static, otp_totp, sessions
Running migrations:
Applying otp_static.0001_initial... OK
Applying otp_static.0002_throttling... OK
Applying otp_totp.0001_initial... OK
Applying otp_totp.0002_auto_20190420_0723... OKStep 4: Create a TOTP Device
Now log into django admin to create an TOTP device.
After this, we have access to a QR code that we must scan with our code-generating application.
Step 5: Configure admin site
Now you just need to specify that the site is of the OTP Class type so that when you access the login, it prompts you to enter the token. Add this to your urls.py file (not your app file):
from django.contrib import admin
from django_otp.admin import OTPAdminSite
admin.site.__class__ = OTPAdminSiteNow, when you login into django admin you have enter OTP token:
TL;DR;
As we have seen, the integration of 2FA is very straightforward thanks to the django-otp extension, as simply following its installation steps can enhance the security of the Django admin site.
