Add support for MFA for TOM user logins

[rachel3834]

Is your feature request related to a problem? Please describe.
NASA security requirements state that all applications hosted in NASA's Science Managed Cloud Environment must support MFA for user login.
TOMs under development for NASA's Roman mission will need this capability in order to migrate their deployment to NASA's Cloud.

Describe the solution you'd like
NASA are using Microsoft's Authenticator app to provide one-time passcodes, but the requirements aren't specific about the platform used for this purpose.

Further requirements state:

• All user passwords must have a minimum of 12 characters, include upper, lower case characters, numbers and special characters, be different from the AWS account username or email address
• All passwords and API keys must be changed every 60days
• All user accounts must:
  1) Include the following information - Full Name, Preferred User Identifier, Organization, Email, Phone Number
  2) Ensure users are presented with a terms of service agreement that they must sign before access is granted.
• API access must also use MFA

[jchate6]

MFA is great. Those top 2 requirements are based on security philosophy that's 20 years out of date... 🙄

[phycodurus]

I have a prototype implementation working using django-allauth (their example project). I don't see this being implemented as a separate re-usable app (like tom_mfa or anything like that). This involves fairly wide-ranging changes to tom_common. It touches upon the encrypted database field workflow and tom_registrations. It raises the issue of possibly replacing tom_registrations with functionality available in django-allauth. django-allauth suports workflows for:

• Registration
• Email address change, password change/forgotten
• Email address verification

In terms of meeting the NASA requirements:

• Microsoft Authenticator - I've tested QR code-based key exchange with Google Authenticator. (Microsoft Authenticator can also use QR codes for key exchange).
• API access MFA - Django REST Framework is supported
• TOS agreement before access - this will require a custom Sign-up Form, which is supported.
• forced password changes - not supported but doable. However, NIST has recently discouraged this: Verifiers and CSPs SHALL NOT require subscribers to change passwords periodically. (See item 6)

[rachel3834]

Hi Lindy, Joey This is very encouraging. Which two requirements are out of date? Either Microsoft or Google Authenticator apps would be fine. I think a lot of teams would like to be able to have a customize TOS agreement on sign up too. It is also possible for us to place requirements on passwords, i.e. the character limits and symbols?

…

On Wed, Feb 25, 2026 at 1:35 AM Lindy ***@***.***> wrote: *phycodurus* left a comment (TOMToolkit/tom_base#1416) <#1416 (comment)> I have a prototype implementation working using django-allauth <https://docs.allauth.org/en/latest/introduction/index.html> (their example project <https://django.demo.allauth.org/>). I don't see this being implemented as a separate re-usable app (like tom_mfa or anything like that). This involves fairly wide-ranging changes to tom_common. It touches upon the encrypted database field workflow and tom_registrations. It raises the issue of possibly replacing tom_registrations with functionality available in django-allauth. django-allauth suports workflows for: - Registration - Email address change, password change/forgotten - Email address verification In terms of meeting the NASA requirements: - Microsoft Authenticator - I've tested QR code-based key exchange with Google Authenticator. (Microsoft Authenticator can also use QR codes for key exchange). - API access MFA - Django REST Framework is supported - TOS agreement before access - this will require a custom Sign-up Form, which is supported. — Reply to this email directly, view it on GitHub <#1416 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ACPJA3BX2TRORFL22GCPJT34NTU5FAVCNFSM6AAAAACVWZ57ZWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTSNJVGU4TSMRXGM> . You are receiving this because you authored the thread.Message ID: ***@***.***>