- Fixed the XML syntax of the Twilio token.xml file.
- The Yubikey token field is now receiving autofocus.
- Avoid crashes for devices with no
throttle_*
methods (#699). - Fixed format of the hash for the OTP device cookie key.
- Allow django-phonenumber-field 8.x.x.
- Project build is now using a more modern toolbox based on
pyproject.toml
(no more setup.*). - The plugins method registry can now return a new
MethodNotFoundError
exception when some method is not found in the plugins registry.
- Support confirmation for Django 5.1.
- The login view is also decorated with the
login_not_required
decorator for projects using the newLoginRequiredMiddleware
available with Django 5.1+.
- Dropped support for Django <4.2.
- Removed custom
utils.class_view_decorator()
in favor of Django'smethod_decorator()
.
- Avoid potentially empty
<ul>
on the profile page.
- Upgraded minimal webauthn dependency to 2.0 (which also removes a deprecation
warning) (#634, #701). Note the
pydantic
dependency was removed in webauthn 2. - Checking phone method availability uses now the method registry (#665).
- Logout example uses POST method to match recent Django behavior.
- Updated translations.
- Support confirmation for Django 5.0 and Python 3.12.
- A new
main_form_content
template block on login template allows for easier overridability.
- Include transitively replaced migrations in phonenumber migration.
- Avoid importing PhoneDevice when not enabled.
- Simplified URLs for phone_create/phone_delete paths.
- Implement strict PhoneDevice identification (#661).
- Avoid multiple registrations of the same method (#657).
- Get all phonedevices of the user (#659).
- Allow django-phonenumber-field 7.
- Updated Dutch, German, and Spanish translations.
- Python 3.7 support (EOL).
- Corrected migration dependency (introduced in 6150a782b6e6).
- Fixed throttling for PhoneDevice (#418).
- Added Turkish translation.
- Fixed a PhoneDevice migration generated even when the phonenumber plugin was not installed (#587).
- Created a custom phonenumber migration to allow migration for both when the model already exists (legacy installs) and for new installs (#611).
- Confirmed Django 4.2 support
- Set
default_auto_field
toAutoField
in apps config that have models, so no migrations are generated for projects defaulting toBigAutoField
(#436). - [webauthn] Drop unneeded unique index on
public_key
, which was unsupported on MySQL (#594).
- Missing plugin templates (#583).
- Migrations of
two_factor
app are squashed to avoid requiringphonenumber_field
optional dependency for new projects.
- Updated Finish and French translations.
- Enforcing a redirect to setup of otp device when none available for user (#499)
- Confirmed Django 4.1 support
- WebAuthn support (thanks to Javier Paniagua)
- Confirmed Python 3.11 support
- Display the TOTP secret key alongside the QR code to streamline setup for password managers without QR support.
- Moved phonenumber migrations under the plugins directory.
- Avoid crash with email devices without email (#530).
- Django 2.2, 3.0, and 3.1 support
two_factor.utils.get_available_methods()
is replaced byMethodRegistry.get_methods()
.
- Python 3.10 support
- The setup view got a new
secret_key
context variable to be able to display that key elsewhere than in the QR code. - The token/device forms have now an
idempotent
class variable to tell if the form can validate more than once with the same input data. - A new email plugin (based on django_otp
EmailDevice
) can now be activated and used to communicate the second factor token by email.
- BREAKING: The phone capability moved to a plugins folder, so if you use that
capability and want to keep it, you should add
two_factor.plugins.phonenumber
line in yourINSTALLED_APPS
setting. Additionally, as thetwo_factor
templatetags library was only containing phone-related filters, the library was renamed tophonenumber
. - default_device utility function now caches the found device on the given user object.
- The
otp_token
form field forAuthenticationTokenForm
is now a DjangoRegexField
instead of anIntegerField
. - The Twilio gateway content for phone interaction is now template-based, and
the pause between digits is now using the
<Pause>
tag. - The QR code now always uses a white background to support pages displayed with a dark theme.
- Python 3.5 and 3.6 support
- Translations for new languages: Hausa, Japanese, Vietnamese
- Django 4.0 support
- Suppressed default_app_config warning on Django 3.2+
- qrcode dependency limit upped to 7.99 and django-phonenumber-field to 7
- When validating a TOTP after scanning the QR code, allow a time drift of +/-1 instead of just -1
- Support Twilio Messaging Service SID
- Add autofocus, autocomplete one-time-code and inputmode numeric to token input fields
- Change "Back to Profile" to "Back to Account Security"
- User can request that two-factor authentication be skipped the next time they log in on that particular device
- Django 3.1 support
- SMS message can now be customised by using a template
- Simplified
re_path()
topath()
in URLConf - Templates are now based on Bootstrap 4.
DisableView
now checks user has verified before disabling two-factor on their account- Inline CSS has been replaced to allow stricter Content Security Policies.
- Upper limit on django-otp dependency
- Obsolete IE<9 workarounds
- Workarounds for older versions of django-otp
No code changes for this version
- It is possible to set a timeout between a user authenticiating in the
LoginView
and them needing to re-authenticate. By default this is 10 minutes.
- The final step in the
LoginView
no longer re-validates a user's credentials. - Django 1.11 support.
- Security Fix:
LoginView
no longer stores credentials in plaintext in the session store.
Nothing has been added for this version
- MiddlewareMixin
- Python 3.4 support
- Django 2.1 support
mock
dependency
extra_requires
are now listed in lowercase. This is to workaround a bug inpip
.- Use
trimmed
option onblocktrans
to avoid garbage newlines in translations. random_hex
fromdjango_otp
0.8.0 will always return astr
, don't try to decode it.
- Support for Django 3.0.
- Optionally install full or light phonenumbers library.
- Python 2 support.
- Updated translations.
- 1.9.0 got pushed with incorrect changelog, no other changes.
- Support for Django 2.2.
- Ability to create
PhoneDevice
from Django admin. - Support for Python 3.7.
- Support for Django 2.1.
- Support for QRcode library up to 6.
- Translation: Romanian.
- Replace
ValidationError
withSuspiciousOperation
in views. - Change the wording in 2FA disable template.
- Updated translations.
- Support for Django 2.0.
- Django <1.11 support.
- Do not list phone method if it is not supported (#225).
- Pass request kwarg to authentication form (#227).
- Twilio client 6.0 usage (#211).
- Updated translation: Russian.
- Support Twilio client 6.0 (#203).
redirect_to
after successful login (#204)
- Updated translation: Norwegian Bokmål
- Support for Django 1.11 (#188).
- Django 1.9 support.
- Allow setting
LOGIN_REDIRECT_URL
to a URL (#192). DisableView
should also takesuccess_url
parameter (#187).
- Django 1.10’s MIDDLEWARE support.
- Allow
success_url
overrides fromurls.py
. - Autofocus token input during authentication.
- Translations: Polish, Italian, Hungarian, Finnish and Danish.
- Dropped Python 3.2 and 3.3 support.
- Renamed
redirect_url
properties tosuccess_url
to be consistent with Django.
- Allow Firefox users to enter backup tokens (#177).
- Allow multiple requests for QR code (#99).
- Don't add phone number without gateway (#92).
- Redirect to 2FA profile page after removing a phone (#159).