What will you learn?

To better protect your django admin page, you should implement MFA. You could either request that an SMS be sent to your phone, or you could request an OTP from an authenticator app, such as Google Authenticator.

To keep everything short and sweet, I will discuss how you can implement MFA for your django admin page using Google Authenticator. You can also choose Authy if you'd prefer, but for the purpose of this tutorial, we will stick to Google Authenticator.

Preface:

First, be sure to download the Google Authenticator app on your smartphone, since we will be integrating it with our web app.

Step 1:

To install django-otp, open up your terminal and type in the following command:

pip install django-otp qrcode

Step 2:

Next, you want to configure 2FA, and to do this we need to add the required django-otp configurations: ‘django_otp’ and ‘django_otp.plugins.otp_totp’

# settings.py

INSTALLED_APPS = [
   'django_otp',
   'django_otp.plugins.otp_totp',
]

Step 3:

Next, you want to add ‘django_otp.middleware.OTPMiddleware’ to our middleware.

# settings.py

MIDDLEWARE = [
   'django.middleware.security.SecurityMiddleware',
   'django.contrib.sessions.middleware.SessionMiddleware',
   'django.middleware.common.CommonMiddleware',
   'django.middleware.csrf.CsrfViewMiddleware',
   'django.contrib.auth.middleware.AuthenticationMiddleware',

   'django_otp.middleware.OTPMiddleware',

   'django.contrib.messages.middleware.MessageMiddleware',
   'django.middleware.clickjacking.XFrameOptionsMiddleware',
]

Step 4:

Add the following code before your urls.py patterns list:

# urls.py

from django.contrib.auth.models import User

from django_otp.admin import OTPAdminSite
from django_otp.plugins.otp_totp.models import TOTPDevice
from django_otp.plugins.otp_totp.admin import TOTPDeviceAdmin

Step 5:

Next, you will need to create an OTP admin class so that you can register the user and TOTPDevice model in Django’s administration/admin panel.

# urls.py

class OTPAdmin(OTPAdminSite):
   pass

admin_site = OTPAdmin(name='OTPAdmin')
admin_site.register(User)
admin_site.register(TOTPDevice, TOTPDeviceAdmin)

Step 6:

Create the necessary tables in your database for django-otp:

python manage.py migrate

Create a superuser to login to django admin:

python manage.py createsuperuser

Run your server to see the changes:

python manage.py runserver 

Step 7:

Head to the django admin panel via the following URL:

http://localhost:8000/admin

Then proceed to log in with your recently created superuser (admin) credentials.

Step 8:

To register for 2FA, you need to follow the steps below:


# - Go to the Django admin panel

Part 1:

First of all, you must go to the TOTP devices devices table and then add a new device by clicking on the ADD TOTP DEVICE button so that you will be able to do this.

Part 2A:

Choose any user from your User table and then type in a device name. This can be any name of your choosing.

After that please be sure to set your tolerance level. I would recommend at least setting it to 90, since the time for authenticator apps can by out of sync due to the django-otp package.

Part 2B:

When you are done, scroll to the bottom and save your record.



Part 2C:

Next head over to the following link:

https://en.wikipedia.org/wiki/List_of_tz_database_time_zones

Find your timezone according to the TZ database name column.

Once you have found it, please proceed to your settings.py file and modify your time zone.

Here is an example:

TIME_ZONE = 'Asia/Dubai'



Part 3:

Next, you will need to click on the qrcode and scan it with your google authenticator app.

Part 4:

Once the qr-scan has been completed your account will now be linked with google authenticator and a new token will be generated after a certain amount of time.

Step 9:

Run 2FA in django admin by replacing the default admin URL with the following:

# urls.py

urlpatterns = [ 
  path('admin/', admin_site.urls),
]

*The difference now is that the route now points to admin_site.urls instead of admin.site.urls.

Step ten:
Test 2FA by logging into django admin while using google authenticator.

DONE!

Congratulations! You have now successfully implemented MFA in your django web application. Your django admin will now be better protected with the additional layer of security that you have just added.