Add Multi-Factor Authentication (MFA) to Django in Mere Minutes
09-21, 11:50–12:20 (Europe/Lisbon), Auditorium

This session's header image

Passwords alone can’t protect us. We need multi-factor authentication, which doesn’t come with Django out of the box. But we can add MFA to our Django projects in just a few minutes, giving our users the ability to protect their accounts with Touch ID, security keys, and one-time passwords.

Passwords alone can’t protect us. Can’t protect our bank accounts or medical records — our most sensitive data.

We need multi-factor authentication, which doesn’t come with Django out of the box. But we can add MFA to our Django projects in just a few minutes, giving users the ability to add multiple factors in addition to their password:

  • time-based one-time passwords (TOTP)
  • hardware security keys, including Touch ID (WebAuthn)
  • backup emergency codes

Among the MFA options available for Django include Kagi, an open-source project that builds upon the work that a team of security professionals undertook to add multi-factor authentication to the Python Package Index (PyPI).

Attendees of this talk will take home the following knowledge and skills:

  • why multi-factor authentication is so important
  • steps needed to add MFA to a Django project
  • how to customize templates for MFA-related views
  • adding TOTP to a phone for easy logins on-the-go
  • how to use Touch ID as second factor
  • browser vendor plans for logins without passwords

Video: https://youtu.be/aannTf_z1XU
Justin Mayer

Justin Mayer is a serial entrepreneur, active open-source contributor, and advocate for stronger security and privacy. His latest project is Fortressa.com, which provides one-tap installation of open-source projects, replacing expensive SaaS products with self-hosted alternatives that protect user privacy. He also maintains the Pelican static site generator as well as a number of other projects for Python and the Fish shell.

Justin speaks fluent Japanese, graduated with honors from the University of California, Berkeley, and received his M.B.A. from the Wharton School of Business.

He writes about security and privacy on the web at justinmayer.com and via @JMayer on Twitter.