- Add setting
MFA_MAX_KEYS_PER_ACCOUNTto limit the number of keys a user can have (defaults to 3). It is recommended to adapt the templates to issue a warning if users exceed this limit.
- drop support for python 3.9
- drop support for fido2 1.x
- cbor-js is no longer required
- the new javascript dependency webauthn-json is included in the package
- the
<script>element that loads fido2.js now needs to usetype="module"
- remove support for fido2 2.x for now
- drop support for Django 3.2
- fido2: fix json mapping deprecation warning
- update french translation
- Allow to search by username in admin UI
- Change label of the name field to "Name for this key" to avoid confusion
- Use
autocomplete="one-time-code"on form inputs - Set
Auto-Submittedheader in emails - Align handling of localhost as a secure context with upstream. Notably,
this means that
DEBUGno longer has any effect and that127.0.0.1is no longer treated as a secure context. - Drop support for Python 3.8
- Add suport for
LoginRequiredMiddlewarefrom django 5.1
- Fix failed package build
- Set ID field independent of
DEFAULT_AUTO_FIELD - Add support for async in
MFAEnforceMiddleware - Fix: include
login_failed_subject.txtin package - Add support for django 5.0, drop support for django 4.1
- Add support for python 3.12, drop support for python 3.7
- Replace setup.py by pyproject.toml
- Add setting
MFA_FIDO2_USER_VERIFICATION - Allow to use FIDO2 on localhost without HTTPS if DEBUG is True (thanks to humphrey)
- Avoid autocompletion in the code field
- Fix minimum supported django version (3.2) in the package
- Add french translation (thanks to hleroy)
- Autofocus in auth form
- Work around rendering bug in qrcode (see lincolnloop/python-qrcode#317)
- Add option to send an email on failed login
- Add new setting
MFA_TOTP_VALID_WINDOWto compensate for clock drifts (thanks to Tobias Bölz)
- Adapt to fido2 1.0.0
- Pin fido2 dependency
- Security fix: The admin login was not adapted, so it could be used to
bypass MFA. As a fix, django-mfa3 will now automatically patch
AdminSiteso the admin login redirects to regular login. (CVE-2022-24857) - Drop support for django 2.2
- Use a more efficient string encoding for FIDO2 messages
- Drop support for python 3.6, add support for python 3.10
- Drop support for django 3.1, add support for django 4.0
- No longer include MFA code in credentials for
user_login_failed
- Add recovery codes. Check the example templates for references to "recovery" to see what needs to be changed.
- Add new setting
MFA_METHODSto change the set of enabled methods.
- Fix usage with custom User models that use a different username field (thanks to Ashok Argent-Katwala)
- Security fix: Do not allow users to see the names of/delete other user's keys (secrets were not leaked)
- Fix packaging: include .mo files
- Fix packaging: include templatetags
- Fix packaging: exclude tests
- Convert qrcode to template filter. In templates, change
{{ mfa_data.qrcode|safe }}to{% load mfa %} {{ mfa_data.url|qrcode }}. - Fix form validation on missing code
- Add german translation
- Use
never_cacheandsensitive_post_parametersdecorators - Do not generate a new challenge on validation errors
- Trigger
user_login_failedon failed second factor. This can be used to integrating with external rate limiting solutions such as django-axes. - Fix: include JS files in python package
- Render qrcode server-side
- Convenience: redirect to TOTP auth if no FIDO2 key exists
- Add optional
MFAEnforceMiddleware - Tweak admin UI
- Tweak example templates
initial release