1.18.1

1.18.1

Added

• New translations for Azerbaijani and Serbian

1.18.0

1.18.0

Fixed

• Documentation for setting yubikey support forgot to inform users they would
  need to add our yubikey plugin to INSTALLED_APPS
• Remove reference to release-notes that had been missed, docs now build
  without warnings
• WebAuthn: avoid submitting the wrong form
• Email gateway: tell user to use correct django-otp plugin
• Fix infinite redirect on admin site with AdminSiteOTPRequiredMixin

Changed

• Allow qrcode 8.x.
• phonenumbers is no longer a hard requirement for users who don't require it.
• Change EmailDevice.confirmed default to False
• Any StaticDevice can be used as backup tokens, not just those labelled
  "backup"

Added

• Support for Django 5.2
• Support for Python 3.13
• Django check for INSTALLED_APPS to make sure two_factor is present and
  comes before its plugins

Removed

• Drop support for Python 3.8

1.17.0

1.17.0

Fixed

• Fixed the XML syntax of the Twilio token.xml file.
• The Yubikey token field is now receiving autofocus.
• Avoid crashes for devices with no throttle_* methods (#699).
• Fixed format of the hash for the OTP device cookie key.

Changed

• Allow django-phonenumber-field 8.x.x.
• Project build is now using a more modern toolbox based on pyproject.toml (no
  more setup.*).
• The plugins method registry can now return a new MethodNotFoundError
  exception when some method is not found in the plugins registry.

Added

• Support confirmation for Django 5.1.
• The login view is also decorated with the login_not_required decorator for
  projects using the new LoginRequiredMiddleware available with Django 5.1+.

Removed

• Dropped support for Django <4.2.
• Removed custom utils.class_view_decorator() in favor of Django's
  method_decorator().

1.16.0

1.16.0

Fixed

• Avoid potentially empty <ul> on the profile page.

Changed

• Upgraded minimal webauthn dependency to 2.0 (which also removes a deprecation
  warning) (#634, #701). Note the pydantic dependency was removed in
  webauthn 2.
• Checking phone method availability uses now the method registry (#665).
• Logout example uses POST method to match recent Django behavior.
• Updated translations.

Added

• Support confirmation for Django 5.0 and Python 3.12.
• A new main_form_content template block on login template allows for easier
  overridability.

1.15.1

Fixed

• Missing plugin templates (#583).
• Migrations of two_factor app are squashed to avoid requiring phonenumber_field
  optional dependency for new projects.

Changed

• Updated Finish and French translations.

1.15.0

Added

• Enforcing a redirect to setup of otp device when none available for user (#499)
• Confirmed Django 4.1 support
• WebAuthn support (thanks to Javier Paniagua)
• Confirmed Python 3.11 support

Changed

• Display the TOTP secret key alongside the QR code to streamline setup for
  password managers without QR support.
• Moved phonenumber migrations under the plugins directory.
• Avoid crash with email devices without email (#530).

Removed

• Django 2.2, 3.0, and 3.1 support
• two_factor.utils.get_available_methods() is replaced by
  MethodRegistry.get_methods().

1.14.0

Added

• Python 3.10 support
• The setup view got a new secret_key context variable to be able to display
  that key elsewhere than in the QR code.
• The token/device forms have now an idempotent class variable to tell if the
  form can validate more than once with the same input data.
• A new email plugin (based on django_otp EmailDevice) can now be activated
  and used to communicate the second factor token by email.

Changed

• BREAKING: The phone capability moved to a plugins folder, so if you use that
  capability and want to keep it, you should add two_factor.plugins.phonenumber
  line in your INSTALLED_APPS setting. Additionally, as the two_factor
  templatetags library was only containing phone-related filters, the library
  was renamed to phonenumber.
• default_device utility function now caches the found device on the given user
  object.
• The otp_token form field for AuthenticationTokenForm is now a Django
  RegexField instead of an IntegerField.
• The Twilio gateway content for phone interaction is now template-based, and
  the pause between digits is now using the <Pause> tag.
• The QR code now always uses a white background to support pages displayed
  with a dark theme.

Removed

• Python 3.5 and 3.6 support

1.13.2

Added

• Translations for new languages: Hausa, Japanese, Vietnamese
• Django 4.0 support

Changed

• Suppressed default_app_config warning on Django 3.2+
• qrcode dependency limit upped to 7.99 and django-phonenumber-field to 7
• When validating a TOTP after scanning the QR code, allow a time drift of +/-1 instead of just -1

1.13.1

Add

• Support Twilio Messaging Service SID
• Add autofocus, autocomplete one-time-code and inputmode numeric to token input fields

Changed

• Change "Back to Profile" to "Back to Account Security"

1.13

Added

• User can request that two-factor authentication be skipped the next time they
  log in on that particular device
• Django 3.1 support
• SMS message can now be customised by using a template

Changed

• Simplified re_path() to path() in URLConf
• Templates are now based on Bootstrap 4.
• DisableView now checks user has verified before disabling two-factor on
  their account
• Inline CSS has been replaced to allow stricter Content Security Policies.

Removed

• Upper limit on django-otp dependency
• Obsolete IE<9 workarounds
• Workarounds for older versions of django-otp