GitLab

Nowadays, two-factor auth (2FA) is quite important for web services. It can prevent a large number of privacy violations (unauthorized access to an account), elevation of privileges, and attacks like phishing, or even Person in the Middle with more advanced methods like U2F. Funkwhale is using Django, which is a common web framework with very active community. So, I think adding 2FA methods should be an important improvement, and should also be easy to do, since there is community-driven Django 2FA apps.

So, I suggest to add support for the Django-2FA project in Funkwhale. But doing so would break current authentication schemes, for example if there is Funkwhale clients (as far as i know, there is only the Funkwhale CLI client and the Modipy plugin), setting hardcoded login+password in the configuration file will not be enough (it’s also a bad security practice to write down a user password), so implementing a client authentication method should be a dependency of this feature (#752 (closed)).

Steps:

• Implement Django-2FA in backend
• Implement REST endpoints if Django-2FA does not provide them (GET 2FA state for an user, for example)
• Create VueJS views for 2FA (second authentication step, 2FA methods management pages)