Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

addstatictoken from Django-OTP doesn't always work with BackupView etc. #145

Open
moggers87 opened this issue Mar 27, 2016 · 4 comments
Open

addstatictoken from Django-OTP doesn't always work with BackupView etc. #145

moggers87 opened this issue Mar 27, 2016 · 4 comments

Comments

@moggers87
Copy link
Collaborator

This is partly a bug with Django-OTP. See this PR

If the specified user has already generated backup tokens (and thus has a StaticDevice), then addstatictoken will behave as expected - the user gets a new backup token.

However, if the user didn't previously, the command will create a StaticDevice with the name "Backup Code". Django Two-Factor Authentication has the name "backup" hardcoded into all its views and so never sees the newly created token.

tl;dr: D2FA and Django-OTP have hardcoded different names for backup tokens.
@moggers87
Copy link
Collaborator Author

Having thought about this some more, I'm wondering why D2FA views only look for a single StaticDevice - is there actually a use-case where a user would have backup and not-backup tokens?

@psagers
Copy link

psagers commented Mar 28, 2016

The name field of django_otp.models.Device is documented as "A human-readable name to help the user identify their devices." It's really not intended to identify specific devices in the database. If D2FA would like to manage specific devices, my recommendation would be to create a model that holds foreign keys to those devices.

Ideally, addstatictoken should probably fail if there's no StaticDevice, perhaps with a flag to enable the current auto-create behavior. This is really just meant to help with bootstrapping a development environment or something.

Either way, if D2FA wants to be in a position for addstatictoken to always do the right thing, that probably means ensuring that every user always has a StaticDevice, even if it has no tokens. Alternatively, it could provide its own management command for this kind of thing.

@Bouke
Copy link
Collaborator

Bouke commented Apr 5, 2016

Good thoughts @psagers, that sounds like good improvements. Thanks for the advice on how to improve this package.

@MarkusH
Copy link
Collaborator

MarkusH commented Jul 10, 2016

@moggers87

Having thought about this some more, I'm wondering why D2FA views only look for a single StaticDevice - is there actually a use-case where a user would have backup and not-backup tokens?

I'm not saying it's a good idea and I'm not suggesting we should support it, but a lot a banks still provide printed TAN lists to use for e.g. online banking. These codes are static 2FA codes but are not backup codes in case you loose a device, afaict.

@Bouke Bouke removed the enhancement label Feb 22, 2018
@nnseva nnseva mentioned this issue Oct 14, 2022
Open
8 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@psagers @Bouke @MarkusH @moggers87