One Time Password/Token Generation and Validation

[selwin]

Code of Conduct

• I agree to follow Django's Code of Conduct

Feature Description

A built in way for Django to generate and validate one time tokens.

Problem

Many web apps use single-use codes for:

• Passwordless login
• Email/phone verification
• 2FA

Despite being a common requirement, Django currently lacks a built-in, standardized mechanism for generating and validating one-time passwords (OTPs).

Request or proposal

proposal

Additional Details

No response

Implementation Suggestions

Proposed APIs (obviously I'm still open to suggestions):

from django.auth import otp

token = otp.create(key, ttl, length, allowed_chars)

# Passing in `delete=True` would  invalidate the token after successful validation
otp.authenticate(key, token, invalidate=False)

[github-actions]

Thank you selwin for sharing your idea! We have a lot of them so please be patient. You can see the current queue here.

Community instructions

For commenters, please use the emoji reactions on the issue to express support, and/or concern easily. Please use the comments to ask questions or contribute knowledge about the idea. It is unhelpful to post comments of "I'd love this" or "What's the state of this?"

Reaction Guide

• 👍 This is something I would use
• 👎 This is something that would cause problems for me or Django
• 😕 I’m indifferent to this
• 🎉 This is an easy win

[knyghty]

I'd rather implement WebAuthn but I also wouldn't say no to this.

[collinanderson]

WebAuthn requires javascript so otp would be nice as a simple way to not require javascript. The otp algoritm is pretty simple to implement without dependencies.

https://en.wikipedia.org/wiki/Time-based_one-time_password
https://en.wikipedia.org/wiki/HMAC-based_one-time_password

[knyghty]

Sorry, I didn't mean to sound like I was not in favour at all if we had WebAuthn, I definitely want both. It was more a preference of what I'd rather be using. I do think we should want both, even if WebAuthn requires another dependency.

[frankwiles]

While low dependency count is good for lots of reasons I'd personally lean more toward using something like https://github.com/pyauth/pyotp (as an optional dependency perhaps) rather than re-inventing the wheel here. (pun intended hehehe)

[LilyAcorn]

We're moving this forward. Next steps will be to write up a more detailed proposal in a DEP. We think #4, #12 and #17 are sufficiently related to look at together.