Multi-factor authentication (MFA) for your Django admin page

How to implement MFA into your django web application.

What will you learn?

To better protect your django admin page, you should implement MFA. You could either request that an SMS be sent to your phone, or you could request an OTP from an authenticator app, such as Google Authenticator.

To keep everything short and sweet, I will discuss how you can implement MFA for your django admin page using Google Authenticator. You can also choose Authy if you’d prefer, but for the purpose of this tutorial, we will stick to Google Authenticator.

Preface:

First, be sure to download the Google Authenticator app on your smartphone, since we will be integrating it with our web app.

Step 1:

To install django-otp, open up your terminal and type in the following command:

pip install django-otp qrcode

Step 2:

Next, you want to configure 2FA, and to do this we need to add the required django-otp configurations: ‘ django_otp’ and ‘ django_otp.plugins.otp_totp’

# settings.py INSTALLED_APPS = [  ‘django_otp’,  ‘django_otp.plugins.otp_totp’, ]

Step 3:

Next, you want to add ‘ django_otp.middleware.OTPMiddleware ‘ to our middleware.

# settings.py  MIDDLEWARE = [ 'django.middleware.security.SecurityMiddleware',                      'django.contrib.sessions.middleware.SessionMiddleware' , 'django.middleware.common.CommonMiddleware' , 'django.middleware.csrf.CsrfViewMiddleware' , 'django.contrib.auth.middleware.AuthenticationMiddleware' , 'django_otp.middleware.OTPMiddleware' , 'django.contrib.messages.middleware.MessageMiddleware' , 'django.middleware.clickjacking.XFrameOptionsMiddleware' , ]

Step 4:

Add the following code before your urls.py patterns list:

# urls.py from django.contrib.auth.models import User from django_otp.admin import OTPAdminSite from django_otp.plugins.otp_totp.models import TOTPDevice from django_otp.plugins.otp_totp.admin import TOTPDeviceAdmin

Step 5:

Next, you will need to create an OTP admin class so that you can register the user and TOTPDevice model in Django’s administration/admin panel.

# urls.py class OTPAdmin(OTPAdminSite):  pass
admin_site = OTPAdmin(name=’OTPAdmin’) admin_site.register(User) admin_site.register(TOTPDevice, TOTPDeviceAdmin)

Step 6:

Create the necessary tables in your database for django-otp:

python manage.py migrate

Create a superuser to login to django admin:

python manage.py createsuperuser test

Run your server to see the changes:

python manage.py runserver

Step 7:

Head to the django admin panel via the following URL:

http://localhost:8000/admin

Then proceed to log in with your recently created superuser (admin) credentials.

Step 8:

To register for 2FA, you need to follow the steps below:

#-Go to the Django admin panel

Part 1: First of all, you must go to the TOTP devices devices table and then add a new device by clicking on the ADD TOTP DEVICE button so that you will be able to do this.

Part 2 A: Choose any user from your User table and then type in a device name. This can be any name of your choosing.

Part 2 B: When you are done, scroll to the bottom and save your record.

Part 3: Next, you will need to click on the qrcode and scan it with your google authenticator app.

Part 4: Once the qr-scan has been completed your account will now be linked with google authenticator and a new token will be generated after a certain amount of time.

Step 9:

Run 2FA in django admin by replacing the default admin URL with the following:

*The difference now is that the route now points to admin_site.urls instead of admin.site.urls.

Step 10:

Test 2FA by logging into django admin while using google authenticator.

DONE!

Congratulations! You have now successfully implemented MFA in your django web application. Your django admin will now be better protected with the additional layer of security that you have just added.

A final note…

For those that are interested in learning Django from scratch, feel free to check out my latest course:

Python Django: Ultimate Beginners Course — 2022

Originally published at https://www.cloudwithdjango.com on May 30, 2022.

--

--

Hi, I’m Arno… I love cloud computing and django web development and I want to share my knowledge and experiences with you.

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Arno Pretorius

Arno Pretorius

127 Followers

Hi, I’m Arno… I love cloud computing and django web development and I want to share my knowledge and experiences with you.