DjangoCon 2022 | Add Multi-Factor Authentication (MFA) to Django in Mere Minutes

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
uh my name is Justin Mayer and the first time I attended a developer conference was that Django Khan in 20 in the United States in 2011 so I'm really excited to be back here at djangocon in Porto I'm originally from Los Angeles California but for the last few years I've spent the nicer months on top of a mountain in the Alps in Italy where my colleague Luca and I have been working on fortressa which we think of as the out store for open source just really briefly it's a place where you can install web applications that would normally be a pain to install you tap a few things and you get the ability to have analytics that has better privacy than Google analytics you can have better uptime monitoring we just try to make it really developer friendly and make it easy to to improve this offer that you're developing and we have some really cool things in the works for for Django people so if you want to see how it works you want to know more about it just reach out and I'd be happy to demonstrate apart from working on Fortress in my spare time I maintain a few open source projects such as Pelican Virtual Fish and a few plugable apps for Django including one that I'll talk a little bit about today I want to talk about why multi-factor authentication is important how not to do multi-factor authentication and how you can add what I consider to be proper multi-factor authentication to your Django applications so first of all why is multi-factor authentication important it's important because some people do bad things on the internet and that causes a lot of damage how much damage let's take a moment to count the financial losses so in 2019 estimated losses were 2 trillion Euro that's nothing compared to what it will be in a couple of years when we reach 10.5 trillion Euro now I thought about this for a moment I'm like okay that seems like a big number what is global GDP what is the output of all the planets economic activity well it's about a hundred trillion so that means we have a loss ratio of about 10 of global GDP to you know criminal activity and other crimes that are committed on the internet so that is a staggering ratio a staggering proportion so clearly usernames and passwords are not good enough to prevent this kind of damage from happening so the software industry has developed several ways of mitigating those losses multi-factor authentication usually involves some combination of something you know like a password something you have like a key and or something you are like a fingerprint or a face identification this is not a New Concept I arrived at my BNB last night and I was delighted to discover this this is sitting in the living room of my BNB and it has a place to put a key and then above it there are three dials to to enter your combination and then you can open this safe I have no idea why this is sitting here in my in my BNB I've never seen anything like it before it's amazing I want to take it home with me uh I I the universe is saying something to me they disappeared in my ear in my in my BNB when I got there so let's talk about some of these something you have factors SMS is one you uh you know you put in your phone number when you when you enable this uh this function it sends you codes you enter the codes okay you're authenticated email tokens are similar you log in with username and password and then it says check your email and tap on the link and then you tap on the link and then you get in one-time passwords otherwise known as time based one-time passwords um are you've probably seen these before you install an app or you use an existing app and you generate some six digit number that's tied to some other cryptographic secret and then you enter in this number and then you can log in and then there is web authentication which is usually tied to a USB key not not always but but up until this point that's been the most common way and the hardware Secrets the secrets are on that hardware and it makes it very very secure for a variety of reasons so now is the portion of the show where I ask you a few poll questions so please bear with me and raise your hand when appropriate raise your hand if you have some account on some website any website where you currently use one-time passwords via an app on your phone or computer to generate to generate six digit numbers okay so that's a good number wow that's like 70 80 percent maybe even higher okay now raise your hand if you have some account on some website any website where you currently use web authentication as an authentication Factor okay it's definitely a lot less as I would imagine you know maybe 25-ish percent okay good to know now raise your hand if you've ever added SMS based multi-factor authentication or email-based two-step login to an application that you've worked on wow okay that is a big number uh maybe 35 ish 40 okay and if you raise your hand just now I'm going to explain the reasons why you should reconsider your life choices um I I'm kidding kind of so um okay one last time then I'll be done with this raise your hand if you ever wanted to use uh one-time passwords or web authentication on some account you use but you can't because that site doesn't offer it all right pretty much most of the room uh cool that's that's also great news you know because if we don't demand it it's not going to happen so SMS and email two-step logins has a problem and that means you can't easily share an account uh now okay you could say well you shouldn't be sharing accounts well actually there are some good reasons legitimate reasons to share an account maybe your your romantic partner and you have an account somewhere and you need to be able to get into that account and you can't because the code is now going to that person's phone or email account and you don't have easy access to that it could be a business partners same same problem and you have this dance it's like hey can you send me the code you just received sure here it is so not only is this a hassle for everyone involved but it also conditions people to sharing these codes which opens the door for attackers to send spoofed messages pretending to be someone that you know and asking for these codes which is a thing that is very real and happens sadly every day so that's email SMS based MFA is terrible um it is some people will say oh but it's better than no matter no it's better than no multi-factor authentication and this is nonsense those are not the only two choices this is a false dichotomy and it's a low bar we can and do better and so why I don't have enough time to go into the real details but the security of mult of SMS based multi-factor authentication is bad I will can refer you to if you want to know why just reach out and I can tell you why it's bad it's also a privacy violation so you know Facebook famously years ago said okay we're gonna offer you great multi-factor authentication just give us your number don't worry we're only going to use it for multi-factor authentication we promise everyone knows that was a lie it ended up being a big lie and they were caught in that lie and they ended up using it for all kinds of other AD tracking and gross things that they shouldn't have been using it for so it's just not a good thing to to be even asking your customer your customers or users to be you know putting in their phone numbers it's a gdpr problem also it's just a bad idea even the sites that offer better options like one-time passwords and web authentication they will often force you to hand over your phone number and set up sms-based multi-factor authentication as some kind of fallback and so you have to do that in order to use the better ones which weakens the security Advantage the of the better ones and once again violates their privacy so that's SMS email based two-step authentication is a little bit more private you don't have to hand over your phone number but in other ways it's worse than SMS it's slow when you want to log into something you don't want to wait for some email to arrive that could take 10 seconds it could take 10 minutes that's not something you want to do when you're trying to log into some place email delivery is not reliable sometimes it arrives sometimes it doesn't this is not a way to set up an authentication system it's also not really multi-factor because of password reset functionality this is in some ways still single Factor authentication why is that well again like we talked about something you know something you have well here this just ends up being something that you have which is your email account this method you know protects against uh you know if a site has a database breach and they get all the passwords okay well this is this protects against that so there is some value but if someone has access to your email account they own you they just they can just reset your password so they have that now and then they can use the two-step login token and now they have that and now they're in their bank account so the stakes have become even higher recently as companies are starting to require that you enable multi-factor authentication to use their services which sounds great except that their MFA implementations are a trash fire generally and they're dependent on SMS and email and this is not the world that I want us to live in so those are my notes on SMS and email for it for MFA for most Factor authentication now I'll mention two quick things about one-time passwords and web Authentication one-time passwords should be device and app agnostic many companies require that you use a specific app to use their one-time password-based multi-factor authentication this is insanity it's math the math doesn't care which app performs the cryptographic functions so if you require users to install and use a separate app you already have one you like you want to use it but they're requiring you to install a separate one in order to do this thing on their site even though you already have one you like you are making the internet a worse place to be and I want you to not do that web authentication is the only method that protects against phishing all of these other things including one-time passwords are you know can be fished so you set up a fake site and you trick someone they think you think you're on the real site you're on a fake site you put in your one-time password now they have that and now they have 60 seconds or so to get it into where they need to go and now they're in your account web authentication is more secure but it has usability problems you know it's usually a USB key you have to push it you could lose your key it's not great for normal humans which is why when I did this poll I found that most of you you know don't use it uh thankfully web authentication can now be used without USB Keys it's now being integrated into other Solutions like touch ID and other ways some might argue are slightly less secure but even if that were true this is made up for by much higher usability so I think it's a great way of getting web authentication into more people's use it's a very worthwhile trade-off so I get frustrated by the glacial progress of this this whole multi-factor authentication thing all of my Banks my health care providers five years after I started presenting talks about multi-factor authentication nothing has changed with any of the sites that I interact with not one of them supports one-time passwords or web authentication in any kind of sane manner and I want to do something about that and so I've been working on a solution for djangum one of the cool things about social media is that you can encounter people with shared interests all over the world one of the other attendees at this conference Remy hoopsa replied to one of my tweets a while back and I mentioned that I wanted to build a better multi-factor authentication solution for Django so we've been collaborating and we built this app called uh called kagi which is the Japanese word for key I've spent a lot of time in Japan and speak the language so everything I name seems to have a Japanese name but I wanted to build this because it's based on a python Library called uh web often it doesn't use the 502 Library I just prefer the technical implementation web often a little bit better and also that was the library that was chosen for the work that trail of bits which is a very well respected security company they use that library to implement second multi-factor authentication for Pi Pi and I really liked the work that they did so I wanted to emulate how they how they did it so now I'm going to show you how to add multi-factor authentication to a fresh Django product project in just a few minutes I want to do this live but in my experience presentation projection systems aren't really optimized for live demos so I recorded myself doing this to a fresh project which you will be able to see here in real time so I'm creating a virtual environment I'm using fish so if you see weird things it's because it's fish but most of it should be standard I'm now in PIP installing kagi as well as its dependencies including the latest Django 4.1.1 I'm creating a new project I'm just calling it core just to have something in the in the project that makes sense renamed the overall project coggy demo and the first thing I'm going to do is start editing some of the settings that are automatically generated by Django so that we can start using kogi so the first thing to do is to add kogi to your installed apps there will be delays where I don't say anything because I'm waiting for the next thing to happen and this is one of those times next is we need to add a place for templates just because I want to we need to add a base template as you'll see in a subsequent step and it could be any base template it just needs there just needs to be a a template called you know base for us to be able to override and extend the things that that kagi does so now we need to add some kogi specific settings and one of those is the logging log the login redirect URL so once you have successively logged in where should it go we're going to have it go to the multi-factor authentication settings just so we can get there quickly and and start configuring them we are defining our login URL route and we are setting which IP addresses can be you know should be allowed because we are doing this all in localhost we are just using a loopback address we need to set some web often web authentication specific details as well such as the relying party ID which I believe can really be anything we're just calling it localhost or maybe it needs to be the actual domain I don't remember the problem with uh with doing things and then forgetting how you implemented them um we have a relying party name again totally arbitrary and then an icon URL which I'm just using some placeholder um as a as the icon URL and those are all the settings that need to go into into this file and then the next thing we need to do is make some edits to the URL routes I need some elevator music and one of the things you'll realize in a moment um see if you can spot the mistake that I make that'll be a fun project for a fun activity for everyone because there's one in here or at least there will be so we're adding some um some paths so that when the user logs in they are um so I'm waiting for my own extremely slow typing to happen so we do um you know a reverse lazy um redirect to the login page was I drunk when I did this I don't remember typing this slowly and then we we include all of the kagi provided URL routes and then we and then we name space them and that should be the only edits that we need to do here um but I made a mistake when I did this did you see it that's right um so here this is I copied a this is just a base template this could be anything and I copied this from the demo project inside the kagi repo but it's just a base template it doesn't really do anything coggy specific so we need to run migrations but we're going to run into the air that you all were smarter you know than me so you you figured out what I did wrong um I could have you know done some clever editing to to me you know but I wanted to really show that this is almost like a live demo going to fix my silly mistake and import the redirect View and now we should be able to run our migrations yay now we need a user so going to create our user so we have something with which to log in great so now we have everything we need to start the application and now we switch to our browser and we will just go straight to localhost 8000. put in our username and password and the first thing we see is the multi-factor authentication settings so we're going to tap on web authentication keys and we don't have any this is a list of zero keys so we are going to tap add in order to add one so first we're going to choose a key name I'm going to call this a solo key which is the brand of my key and then I hit add you could use Touch ID but instead I hit cancel or not cancel but no I don't want Touch ID I want my Hardware key so that's what I did I put my finger on it and then it adds this key to the list as you see here so we've added our our first second Factor so we now have that as a factor for logging in I'm also going to take this opportunity to add a one-time password so obviously you won't be able to see the phone portion of this but the phone portion is I use my one password app I hit you know add one-time password it has a camera I scan the the QR code it then starts generating the six digit numbers that refreshes approximately every 60 30 seconds maybe 30 seconds and once I see that code I go over and to this token box I put in the six digit number and I add add that add that device so now I have two different ways of logging in if I have one device with me great if I don't I can use the other one so you can see here that it shows the status we have web authentic web authentication enabled and we have uh one-time passwords and now I'm going to generate backup codes these are important if you have none of the other two you can save these backup codes somewhere save you can print them out put them in a safe in your house however you decide to preserve it but this way if you have like I am locked out I've lost my phone I've lost my my web authentication key you have a way of getting in so now we're going to see what happens now that we've enabled those things so I log out and now I'm going to log back in and this time the flow is different now we are prompted to enter in some other Factor I'm going to use a one-time password in order to do that tap the wrong button and uh here we are now now we're in the account so this is you can see how this uh this works and um yeah see oh that's right and then the next step is I'm now going to copy all of the templates that are provided by provided by kagi that would normally just be installed for you and they are installed for you but I'm going to copy them to the local project so that I can override one of them just so you can see you know how that would work obviously the templates that are provided are totally unstyled you know they're not particularly attractive that was done so that you know you can do the things you can do so here I've copied over those templates I'm going to edit one of them and just you know quickly change uh you know the title of this page and I noticed that for some reason in in the stock templates the backup codes are in the middle so you have web authentication backup codes and one-time passwords that seems a little weird to me should probably change that but at least I'm changing it here in this local project and once we make that change and then we flip back to um to our to our browser we should see that we refresh the page and we see that those changes have taken effect so that's how you can override the the stock templates and customize them for what you need to do um so the templates included yes I already mentioned this that they're unstyled um you know when I started developing uh when we started developing Fortress I'm sure you will be unsurprised to hear that it was important to me that we integrate multi-factor authentication via kagi from the very beginning so I wanted to give you an idea as to what it looks like when those templates are styled because otherwise it's a little um unclear I think as to how what that looks like so this is Fortress we have these different services that you can install but we're going to go to your profile and here I'm going to go to the security section and here's a much nicer list of those things and we're going to add a one-time password same flow as you have already seen but it's just a nicer experience when you take a moment to style uh you know the templates to fit your layout and your styling um so that's um yeah um I know that we're a little short on time so I'm just going to skip ahead because you you get the basic idea so in terms of future plans Remy and I would like to find some time this week to work on kogi a little bit including upgrading the web authentication library to the to a more recent version well then correspondingly update some tests because we like to maintain 100 test coverage um in terms of future plans another thing that I think would be exciting would be to implement support for pass keys so up until now we've been talking about multi-factor authentication as an additional factor to username and passwords but one of the things that people are trying to do is to get rid of those other two things so that you just have the pass keys so there are no more passwords and this actually can work both Apple and Google are implementing support for this the latest version of safari that just came out a week or two ago Safari 16 includes support for pass Keys here's a link where you can learn more about it it's a little bit more Apple specific but I'm sure you can find that for uh for Google related things as well I think it's really exciting I think it's really going to improve security but more importantly with good usability I have some reservations about it because you know with username and passwords and multi-factor as it stands the way I just described it it's not tied to a particular company or or architecture and this kind of is and so I don't love that but it's also really great combination of security and usability so I at least want to be open-minded about it and see if it could be a good solution for for users so today I wanted to ins to really inspire you I wanted to explain why I think this is important I wanted to explain how easy it is to do it I mean you could do this I basically just did it in five minutes it took me a couple extra minutes to flip back to the browser to show you how it works but you could actually do this in five minutes um so I will announce on Twitter when I've posted these slides so you can follow me if you want to know when they're available if you want to know more about multi-factor authentication and kagi if you have any questions ideas or suggestions please come find me here at the conference or reach out via VIA Twitter or via my site and thanks for coming and thanks for listening [Applause]
Info
Channel: DjangoCon Europe
Views: 2,742
Rating: undefined out of 5
Keywords:
Id: aannTf_z1XU
Channel Id: undefined
Length: 26min 36sec (1596 seconds)
Published: Fri Oct 14 2022
Related Videos
Towards Django Two Factor Authentication Integration
Very Academy
24K
Add MFA to your Django admin page
Cloud With Django
6.5K
How does Multifactor Authentication work? | MFA and privacy explained
Jordan M. Schroeder
46K
Stephen Margheim – How (and why) to run SQLite in production
Balkan Ruby
619
Securing your Python Django App with One Time Passwords | How to set OTP in Django
Pyplane
15K
CAPTCHAs in Django forms / django-recaptcha / django-simple-captcha
BugBytes
4.6K
DjangoCon Europe 2024 | Navigating the maze of Django's URL routing: a deep dive
DjangoCon Europe
95
Two-Factor Authentication (2FA) in Python
NeuralNine
43K
Kerberos Authentication Explained | A deep dive
Destination Certification
331K
Simple two factor authentication in Django with SMS verification code | basic 2fa using Twilio
Pyplane
48K
Running your Django WebAuthN service - sagie shamay
Python Italia
227
Python Django Custom Authentication with Email Verification - Complete Project Tutorial
Piko Can Fly
2.7K
Protect your Django app with Django Defender
Cloud With Django
3.9K
Login With User Authentication - Django Wednesdays #21
Codemy.com
166K
Generative AI in a Nutshell - how to survive and thrive in the age of AI
Henrik Kniberg
1.7M
Don't use VSCode
PyCon South Africa
214K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.