Fixed

• Missing plugin templates (#583).
• Migrations of two_factor app are squashed to avoid requiring phonenumber_field optional dependency for new projects.

Changed

• Updated Finish and French translations.

Added

• Enforcing a redirect to setup of otp device when none available for user (#499)
• Confirmed Django 4.1 support
• WebAuthn support (thanks to Javier Paniagua)
• Confirmed Python 3.11 support

Changed

• Display the TOTP secret key alongside the QR code to streamline setup for password managers without QR support.
• Moved phonenumber migrations under the plugins directory.
• Avoid crash with email devices without email (#530).

Removed

• Django 2.2, 3.0, and 3.1 support
• two_factor.utils.get_available_methods() is replaced by MethodRegistry.get_methods().

Added

• Python 3.10 support
• The setup view got a new secret_key context variable to be able to display that key elsewhere than in the QR code.
• The token/device forms have now an idempotent class variable to tell if the form can validate more than once with the same input data.
• A new email plugin (based on django_otp EmailDevice) can now be activated and used to communicate the second factor token by email.

Changed

• BREAKING: The phone capability moved to a plugins folder, so if you use that capability and want to keep it, you should add two_factor.plugins.phonenumber line in your INSTALLED_APPS setting. Additionally, as the two_factor templatetags library was only containing phone-related filters, the library was renamed to phonenumber.
• default_device utility function now caches the found device on the given user object.
• The otp_token form field for AuthenticationTokenForm is now a Django RegexField instead of an IntegerField.
• The Twilio gateway content for phone interaction is now template-based, and the pause between digits is now using the <Pause> tag.
• The QR code now always uses a white background to support pages displayed with a dark theme.

Removed

• Python 3.5 and 3.6 support

Added

• Translations for new languages: Hausa, Japanese, Vietnamese
• Django 4.0 support

Changed

• Suppressed default_app_config warning on Django 3.2+
• qrcode dependency limit upped to 7.99 and django-phonenumber-field to 7
• When validating a TOTP after scanning the QR code, allow a time drift of +/-1 instead of just -1

Add

• Support Twilio Messaging Service SID
• Add autofocus, autocomplete one-time-code and inputmode numeric to token input fields

Changed

• Change "Back to Profile" to "Back to Account Security"

Added

• User can request that two-factor authentication be skipped the next time they log in on that particular device
• Django 3.1 support
• SMS message can now be customised by using a template

Changed

• Simplified re_path() to path() in URLConf
• Templates are now based on Bootstrap 4.
• DisableView now checks user has verified before disabling two-factor on their account
• Inline CSS has been replaced to allow stricter Content Security Policies.

Removed

• Upper limit on django-otp dependency
• Obsolete IE<9 workarounds
• Workarounds for older versions of django-otp

No changes in this release. Pushed new version to PyPI dropping the plaintext warning.

Added

• It is possible to set a timeout between a user authenticiating in the LoginView and them needing to re-authenticate. By default this is 10 minutes.

Removed

• The final step in the LoginView no longer re-validates a user's credentials.
• Django 1.11 support.

Changed

• Security Fix: LoginView no longer stores credentials in plaintext in the session store.

Added

Nothing has been added for this version

Removed

• MiddlewareMixin
• Python 3.4 support
• Django 2.1 support
• mock dependency

Changed

• extra_requires are now listed in lowercase. This is to workaround a bug in pip.
• Use trimmed option on blocktrans to avoid garbage newlines in translations.
• random_hex from django_otp 0.8.0 will always return a str, don't try to decode it.

Added

• Support for Django 3.0.
• Optionally install full or light phonenumbers library.

Removed

• Python 2 support.

Changed

• Updated translations.