I am using a contractor for web development and as part of admin panel security, he wants to implement CSRF.
I have never used CSRF but multiple websites use 2FA. He said CSRF will take care of security and I don't need 2FA.
I can't find articles related to comparing CSRF vs 2FA. Can you please comment the pros and cons of Django CSRF vs 2FA?
You won't find any articles comparing the two, because they are entirely orthogonal concepts.
Cross-site request forgery (CSRF) protection is a basic security requirement for any application that uses cookies for session management. An attacker can trick a victim's browser to send a forged request, which will use the victim's cookies to authenticate the request. CSRF protection detects and rejects these forged requests. Not implementing CSRF protection is a serious security issue.
2FA adds an additional step to logging in. If one of the factors (e.g. the password) is compromised, an attacker still can't log in without the second factor. Even if the session cannot be compromised by CSRF attacks, implementing 2FA will increase the security of your users' accounts.
CSRF protection in no way substitutes 2FA.