Settings reference¶
Every key in the MULTIFACTOR settings dict, exhaustive. Defaults are pulled
from multifactor/app_settings.py — keep this page in sync when adding new
keys.
from django.conf import settings
settings.MULTIFACTOR = {...}
If a key is absent from MULTIFACTOR, the default below is used. There is no
need to set keys you’re not changing.
Full table¶
Key |
Type |
Default |
Purpose |
|---|---|---|---|
|
|
|
Flash message shown after a successful MFA challenge. Must contain a single |
|
|
|
Whether to show |
|
|
|
Dotted import path of a callable |
|
|
|
Enable periodic re-challenge. When |
|
|
|
Earliest possible recheck after verification. |
|
|
|
Latest possible recheck after verification. The actual value per factor is uniformly random in |
|
|
|
WebAuthn Relying Party ID. Must match the user’s address-bar domain. See FIDO2 guide. |
|
|
|
Human-readable RP name shown in the browser’s WebAuthn prompt. |
|
|
|
Optional URL to an icon shown alongside the RP name on some platforms. |
|
|
|
Label that appears next to the account name inside authenticator apps. |
|
|
|
Factor types offered on the Add factor page. Removing a value here does not disable existing keys of that type. |
|
|
|
Out-of-band OTP transports. Keys are short names, values are |
|
|
|
Send a multipart text+HTML email when the email fallback transport is used. Set to |
|
|
|
Dotted import path of a callable |
Common patterns¶
Tight production defaults¶
MULTIFACTOR = {
"FIDO_SERVER_ID": "app.example.com",
"FIDO_SERVER_NAME": "Acme",
"TOKEN_ISSUER_NAME": "Acme",
"FACTORS": ["FIDO2", "TOTP"],
"RECHECK": True,
"RECHECK_MIN": 60 * 60, # 1 hour
"RECHECK_MAX": 60 * 60 * 2, # 2 hours
"HTML_EMAIL": True,
}
Permissive dev defaults (e.g. testsite)¶
MULTIFACTOR = {
"FIDO_SERVER_ID": os.environ.get("DOMAIN", "localhost"),
"FALLBACKS": {
"debug-console": (
lambda u: u,
"multifactor.factors.fallback.debug_print_console",
),
"email": (lambda u: u.email, "multifactor.factors.fallback.send_email"),
},
}
EMAIL_BACKEND = "django.core.mail.backends.console.EmailBackend"
High-security tight loop¶
MULTIFACTOR = {
"FIDO_SERVER_ID": "vault.example.com",
"FIDO_SERVER_NAME": "Vault",
"FACTORS": ["FIDO2"], # no TOTP — hardware keys only
"FALLBACKS": {}, # no escape hatch
"RECHECK": True,
"RECHECK_MIN": 15 * 60, # 15 minutes
"RECHECK_MAX": 30 * 60, # 30 minutes
}
See also¶
Architecture — where these settings are read.
Security best practices — choosing values for your threat model.