2FA Multi-factor authentication

Hi,
how to enable 2FA to LMS?

@muneera_salah, as far as I know, Open edX does not natively support any kind of multi-factor authentication. The workaround could be using the third party authentication (e.g. logging in with OAuth2 or SAML SSO) with the MFA enabled there.

@Agrendalath
many thanks, appreciate your support

@Agrendalath @muneera_salah
We too would like to set up 2FA with the Open edX first-party login and are considering using this Django app for doing this GitHub - jazzband/django-two-factor-auth: Complete Two-Factor Authentication for Django providing the easiest integration into most Django projects. .

Has anyone made progress on 2FA since this conversation?

Here is what I’m thinking for how this may function if enabled using a Django extension plugin.

Design Decisions
The default action when the Django plugin extension is enabled is to provide an email authentication action from the learner. Provide a Django feature flag to either to use this email verification as a passwordless login method or a secondary 2FA check (pseudo-2FA) after password authentication has completed. I’m thinking a secondary 2FA check to avoid having to modify the existing registration page.

Secondary action would be opt-in by the learner. We would need to provide a more robust 2FA method through call, text messages (SMS), or a token generator app. The learner could enable this functionality using the frontend-app-account page.

Default Action

  • Email Code Authentication (receive a 6-digit verification code)
    • Could be used as a passwordless login method (email code replaces password) or
    • A secondary check (pseudo-2FA) after password authentication. User would be redirected to a passcode page to enter in 6-digit verification code. Once the user session expires, they would be prompted to revalidate this passcode.

Opt In Action through the frontend-app-account MFE.

  • Authenticate through call, text messages (SMS), or by a token generator app (DUO services (https://duo.com/), Google Authenticator).

cc @jmakowski @e0d @dave

@Zachary_Trabookis, maintaining the comprehensive auth layer is expensive, can easily lead to numerous vulnerabilities, and would not bring much value to the platform from the LMS or CMS perspective, as multiple open source solutions already handle this well. As discussed in this thread, it would be better to consider adapting one of the existing solutions than designing a new one.