[SIP-175] TOTP Authentication for Login
Motivation
Apache Superset currently supports database logins (AUTH_DB) and external identity providers (LDAP, OAuth, SAML, etc.).
It does not offer native two-factor authentication (2FA).
Adding TOTP (Time-based One-Time Password) support will:
- Strengthen security for self-hosted deployments that lack SSO
- Align Superset with industry standards (Google Authenticator, Authy, Microsoft Authenticator, etc.)
- Reduce risk associated with password-only authentication
Proposed Change
- Database
- Add a nullable
totp_secretcolumn to theab_usertable.
python
# Alembic upgrade()
op.add_column(
"ab_user",
sa.Column("totp_secret", sa.String(length=255), nullable=True)
)
- Login Flow
-
Extend
AuthDBViewandAuthLDAPView:- After username/password succeeds, check
totp_secret. - If
None, redirect to/totp-enroll: - Generate
totp_secretwithpyotp.random_base32() - Display QR code for enrollment
- Otherwise, redirect to
/totp-verifyto validate the OTP
- After username/password succeeds, check
-
Templates
totp_enroll.html– shows QR and first-time OTP entry-
totp_verify.html– OTP form on every login -
Admin Reset (Optional)
- Add Reset TOTP bulk action in Security → List Users which can be implemented
New or Changed Public Interfaces
| Interface | Change |
|---|---|
| DB (ab_user) | Adds totp_secret column |
| Views | New routes: /totp-enroll, /totp-verify |
| Admin UI | Optional reset action in UserDBModelView |
New Dependencies
| Package | Purpose | License | Maintained |
|---|---|---|---|
pyotp |
TOTP generation and verification | MIT | :white_check_mark: |
qrcode |
Generate QR codes for secret | BSD | :white_check_mark: |
Migration Plan & Compatibility
- One Alembic migration adds the new column
- Existing users unaffected unless they opt-in
Comment From: ghostp13409
Hey I would like to give it a try
Comment From: rusackas
Seems this is ready for a DISCUSS thread on the dev@ mailing list. Let me know (here or on Slack) if you would like help with that process.
Also curious if @villebro @michael-s-molina @mistercrunch @dpgaspar have experience/opinions here.
Comment From: mistercrunch
+1 would be neat!
Comment From: Dev10-34
Hey @mistercrunch, @rusackas, I have implemented mfa in an older version of superset for the AUTH_DB type login and authentication (which our organization uses) that I can adapt to the latest versions and create a PR. Is this possibly a feature worth adding to superset?
Comment From: rusackas
@Dev10-34 we're open to a PR from the sound of it, but this still needs to be brought up as a DISCUSS thread on the dev mailing list to move forward.