Native Support for Passkeys / 2fa

robd003 · August 22, 2025, 2:15am

It would be a huge step forward if the standard Django release included built-in support for Passkeys and 2FA.

Right now, relying on plain passwords for user and admin logins leaves projects exposed. Bots are constantly trying to guess passwords, and it only takes one weak account to cause serious problems.

Having first-class authentication options in Django by default would raise the security baseline for everyone in the community and make secure practices much easier to adopt. This feels like an area where Django could really lead by example.

theorangeone · August 22, 2025, 11:02am

There’s an open issue on the “new features” repository about authentication improvements:

github.com/django/new-features

Auth system improvements

opened 02:22PM - 27 Apr 25 UTC

alexandernst

Authentication/Users

### Code of Conduct - [x] I agree to follow Django's Code of Conduct ### Featu…re Description (This is a split from https://github.com/django/new-features/issues/10) ### Problem Django has a builtin authentication system, but it doesn't cover features that should be present in any authentication system (e.g. 2FA), [as per NIST suggestions](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-3.pdf). It is fine for local testing and production services categorised at AAL1 level, but anything above that requires 3rd party packages (`django-allauth` comes to mind as an example of a very robust and feature rich package). I understand that Django can't just merge `django-allauth` and call it a day. A framework has a radically different release schedule compared to a 3rd party package, and supporting oauth with XYZ service (which would require hardcoding URLs of external services) feels like a stretch, but maybe there could be a middle ground. Maybe Django can integrate into its core some parts of `django-allauth`? ### Request or proposal Request changes for Django to implement / provide out of the box: * at least basic password-related functionality (user registration, password recovery, etc...) * secure authentication mechanisms (2FA / MFA; maybe hardware authentication, eg. yubikeys) * stateless authentication (jwt creation, refresh, invalidation, etc...) I would suggest trying to integrate the core (features) of `django-allauth`. ### Additional Details _No response_ ### Implementation Suggestions _No response_

I think that would be a better place for large feature suggestions like this rather than the forum.

Topic		Replies	Views
GSOC, Authentication Initiative Mentorship	3	732	March 27, 2020
Django auth, admin, and passkeys Django Internals	14	2966	May 10, 2024
django-allauth 0.56.1 released: 2FA & SAML Show & Tell	0	670	September 9, 2023
Adding Required 2FA to the Django Admin Show & Tell	1	1409	July 24, 2023
Two-Factor Authentication SignUp/LogIn Using Django	2	946	August 23, 2021

Native Support for Passkeys / 2fa

Related topics