DEV Community

Cover image for Multi-factor authentication (MFA) for your Django admin page
Arno Pretorius
Arno Pretorius

Posted on

Multi-factor authentication (MFA) for your Django admin page

What will you learn?

To better protect your django admin page, you should implement MFA. You could either request that an SMS be sent to your phone, or you could request an OTP from an authenticator app, such as Google Authenticator.

To keep everything short and sweet, I will discuss how you can implement MFA for your django admin page using Google Authenticator. You can also choose Authy if you'd prefer, but for the purpose of this tutorial, we will stick to Google Authenticator.

Preface:
First, be sure to download the Google Authenticator app on your smartphone, since we will be integrating it with our web app.


Step 1:
To install django-otp, open up your terminal and type in the following command:

pip install django-otp qrcode
Enter fullscreen mode Exit fullscreen mode

Step 2:
Next, you want to configure 2FA, and to do this we need to add the required django-otp configurations: ‘django_otp’ and ‘django_otp.plugins.otp_totp

# settings.py

INSTALLED_APPS = [
   'django_otp',
   'django_otp.plugins.otp_totp',
]
Enter fullscreen mode Exit fullscreen mode

Step 3:
Next, you want to add ‘django_otp.middleware.OTPMiddleware’ to our middleware:

# settings.py

MIDDLEWARE = [
   'django.middleware.security.SecurityMiddleware',
   'django.contrib.sessions.middleware.SessionMiddleware',
   'django.middleware.common.CommonMiddleware',
   'django.middleware.csrf.CsrfViewMiddleware',
   'django.contrib.auth.middleware.AuthenticationMiddleware',

   'django_otp.middleware.OTPMiddleware',

   'django.contrib.messages.middleware.MessageMiddleware',
   'django.middleware.clickjacking.XFrameOptionsMiddleware',
]
Enter fullscreen mode Exit fullscreen mode

Step 4:
Add the following code before your urls.py patterns list:

# urls.py

from django.contrib.auth.models import User

from django_otp.admin import OTPAdminSite
from django_otp.plugins.otp_totp.models import TOTPDevice
from django_otp.plugins.otp_totp.admin import TOTPDeviceAdmin
Enter fullscreen mode Exit fullscreen mode

Step 5:
Next, you will need to create an OTP admin class so that you can register the user and TOTPDevice model in Django’s administration/admin panel.

# urls.py

class OTPAdmin(OTPAdminSite):
   pass

admin_site = OTPAdmin(name='OTPAdmin')
admin_site.register(User)
admin_site.register(TOTPDevice, TOTPDeviceAdmin)
Enter fullscreen mode Exit fullscreen mode

Step 6:
Create the necessary tables in your database for django-otp:

python manage.py migrate
Enter fullscreen mode Exit fullscreen mode

Create a superuser to login to django admin:

python manage.py createsuperuser test 
Enter fullscreen mode Exit fullscreen mode

Run your server to see the changes:

python manage.py runserver 
Enter fullscreen mode Exit fullscreen mode

Step 7:
Head to the django admin panel via the following URL:

http://localhost:8000/admin
Enter fullscreen mode Exit fullscreen mode

Then proceed to log in with your recently created superuser (admin) credentials.


Step 8:
To register 2FA, you need to follow the steps below:

Go to the Django admin panel


Part 1:
First of all, you must go to the TOTP devices devices table and then add a new device by clicking on the ADD TOTP DEVICE button so that you will be able to do this.


Part 2A:
Choose any user from your User table and then type in a device name. This can be any name of your choosing.


Part 2B:
When you are done, scroll to the bottom and save your record.


Part 3:
Next, you will need to click on the qrcode and scan it with your google authenticator app.


Part 4:
Once the qr-scan has been completed your account will now be linked with google authenticator and a new token will be generated after a certain amount of time.


Step 9:
Run 2FA in django admin by replacing the default admin URL with the following:

# urls.py

urlpatterns = [ 
  path('admin/', admin_site.urls),
]
Enter fullscreen mode Exit fullscreen mode

The difference now is that the route now points to admin_site.urls instead of admin.site.urls.


Step 10:
Test 2FA by logging into django admin while using google authenticator.


DONE!
Congratulations! You have now successfully implemented MFA in your django web application. Your django admin will now be better protected with the additional layer of security that you have just added.


A final note…

For those that are interested in learning Django from scratch, feel free to check out my latest course:

Python Django: Ultimate Beginners Course - 2022

Top comments (2)

Collapse
 
umutcoskun profile image
Umut Çağdaş Coşkun

How to register all current admin's to the newly created admin_site? I completed the tutorial by there is no admin except User and OTPDevice in the admin dashboard?

Collapse
 
umutcoskun profile image
Umut Çağdaş Coşkun

Put this line to urls.py:
admin.site.class = OTPAdminSite