This implements two factor authentication based on FIDO2, using the python-fido2 library.
We could use django-mfa2 which already provides large parts of the django integration. However, on first glance I had very mixed feelings about the code quality.
Note that FIDO2 is only available in "secure contexts", so you need an https proxy in order to test this. You also need to set the settings DOMAIN = '{your actual domain}' and CASTELLUM_REQUIRE_FIDO2 = True.
Still to do:
- FIDO2 is probably not feasible for everyone (because it requires expensive hardware keys), so it would be good to provide an OTP fallback. This is also the approach that gitlab and github have taken.
- There is no proper UI to register a key yet.
- General refactoring and polishing.