This is a major cleanup and CSS adjustments so please test before deployment.
- Updated to fido2==1.1.3
- Removed: CBOR and exchange is done in JSON now.
- Removed:
simplejson
package from dependencies. - Email OTP is always 6 numbers.
- Better support for bootstrap 4 and 5.
- Added: the following settings
MFA_FIDO2_RESIDENT_KEY
: Defaults toDiscouraged
which was the old behaviourMFA_FIDO2_AUTHENTICATOR_ATTACHMENT
: If you like to have a PLATFORM Authenticator, Defaults to NONEMFA_FIDO2_USER_VERIFICATION
: If you need User VerificationMFA_FIDO2_ATTESTATION_PREFERENCE
: If you like to have an AttentionMFA_ENFORCE_EMAIL_TOKEN
: if you want the user to receive OTP by email without enrolling, if this the case, the system admins shall make sure that emails are valid.MFA_SHOW_OTP_IN_EMAIL_SUBJECT
: If you like to show the OTP in the email subjectMFA_OTP_EMAIL_SUBJECT
: The subject of the email after the token allows placeholder '%s' for otp
- Add: Set black as code formatter
- Add: Add Pyre as a type checker
- Add: Add pre-commit hooks
- Upgrade: fido to be 1.1.0 as minimum
- Support For Django 4.0+ JSONField
- Removed jsonfield package from requirements
- Fixed #70
- Add QR Code for trusted device link
- Better formatting for trusted device start page.
- Fix: CVE-2022-42731: related to the possibility of registration replay attack. Thanks to 'SSE (Secure Systems Engineering)'
- Fix: CVE-2022-42731: related to the possibility of registration replay attack. Thanks to 'SSE (Secure Systems Engineering)'
- Adding Backup Recovery Codes (Recovery) as a method. Thanks to @Spitfireap for work, and @peterthomassen for guidance.
- Added:
RECOVERY_ITERATION
to set the number of iteration when hashing recovery token - Added:
MFA_ENFORCE_RECOVERY_METHOD
to enforce the user to enroll in the recovery code method once, they add any other method, - Added:
MFA_ALWAYS_GO_TO_LAST_METHOD
to the settings which redirects the user automatically to the last used method when logging in - Added:
MFA_RENAME_METHODS
to be able to rename the methods for the user. - Fix: Alot of CSS fixes for the example application
- Fixed: issue in the 'Authorize' button don't show on Firefox and Chrome on iOS. Note: It seems Firefox doesn't support WebAuthn on iOS
- Fixed: Support for bootstrap5 Thanks to @ezrajrice
- Upgraded to fido2==1.0.0
- Fixed: issue in the 'Authorize' button don't show on Safari Mobile.
- Upgrade to FIDO2 0.9.2, to fix issue with Windows 11.
- Fixed: Minor Typos.
- Fixed: A missing import Thanks @AndreasDickow
- Fixed:
MFA.html
now call{{block.super}}
for head and content blocks, thanks @mnelson4 - Added: #55 introduced
mfa_base.html
which will be extended byMFA.html
for better styling
- Added: MFA_REDIRECT_AFTER_REGISTRATION settings parameter
- Fixed: Deprecation error for NULBooleanField
- Fixed: Getting timestamp on Python 3.7 as ("%s") is raising an exception
- Upgraded to FIDO 0.9.1
- Fixed: FIDO2 version in requirements.txt file.
- Added Support for Touch ID for Mac OSx and iOS 14 on Safari
- Fixed issue in version
- Fixed: Closes #30
- Fixed: version to show correct version
- Added: A missing migration thnks to @swainn
- Fixed: issue in migration between Postgres and SQLite thnks to @swainn and @willingham
- Dropped support to djangp-1.8 and Python 2.7
- Added: never-cache decorator
- Fixes to Make Email Method More Robust
- Addresses several structure and style issues with TOTP and Email dialogs
- Updated to fido2 0.8.1
Thanks to @swainn
- Fixed: is_authenticated #13
- Fixed: is_anonymous #6
thanks to @d3cline,
- Better Error Management
- Better Token recheck
- Fixed some issues for django>= 2.0
- Added example app.
- Added id the key used to validate to the session dictionary as 'id'
- Updated to FIDO == 0.7
- Updated to FIDO2 == 0.6
- Windows Hello is now supported.
- Added: MFA_HIDE_DISABLE setting option to disable users from deactivating their keys.