django-mfa2 VS python-fido2

I've been using https://github.com/mkalioby/django-mfa2 with good luck

The application is a slim-down version of django-mfa2 which has been 🌟 more 150 times and downloaded round 135k. As this application did only one thing, it is much easier to integrate within your current application.

Add MFA to your application and require it for at least administrative users, super users or any user who has permissions to cause any damage to the application or its data. https://github.com/gotlium/django-secure-auth or https://github.com/mkalioby/django-mfa2. Ideally you'll add and MFA mechanism that supports FIDO2/WebAuthn, but you should also support TOTP (Google Authenticator). Whatever you do, DON'T use SMS, Text Messages or emails as if they were MFA. They aren't.

Adding MFA is a must, and for that you can use https://github.com/gotlium/django-secure-auth or https://github.com/mkalioby/django-mfa2. Just please avoid using SMS or codes sent by email as if they were true MFA. They aren't. If possible prefer FIDO2, and if not, go with TOTP (google authenticator).

Unfortunately, django-mfa2 was not built to support that out-of-the-box. However, to add this feature, one needs to have a local version of the application so as to be able to extend its functionalities.

Django-mfa2 documentation

Modern browsers support this awesome technology and there are a couple of its implemetations in various major programming languages and web frameworks, however, this multi-part post will only focus on implementing it in a Django application using a wonderful django application, django-mfa2 which utilizes python-fido2 under the hood.

https://fidoalliance.org https://loginwithfido.com https://w3.org/TR/webauthn-2/ https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-20210615.html https://github.com/yubico/Python-Fido2 https://github.com/yubico/libfido2

To start the migration process, let’s first replace u2f.start_authentication() with its counterpart. The data types that the WebAuthn API takes are not quite the same ones used in U2F API. In fact, one of the main pain points was converting the necessary fields into the correct data type.

The specification we'll be addressing says that if a user fails to identify himself/herself using his/her device's authenticator or external authenticator(s) supported by python-fido2, such user should be removed from the database, logged out of the application and then redirected to the registration page to restart the process. This is to ensure that only verified users who used the supported attestation formats during registration are authenticated and authorized.

Modern browsers support this awesome technology and there are a couple of its implemetations in various major programming languages and web frameworks, however, this multi-part post will only focus on implementing it in a Django application using a wonderful django application, django-mfa2 which utilizes python-fido2 under the hood.

But there seems to be somthing nearly finished. https://github.com/Yubico/python-fido2/blob/master/examples/server/server.py