I created a django app utilizing the django-two-factor-auth to enable two factor authorization using google authenticator. I also configured django-defender to protect my site from brute force attacks. It works correctly for the default django.contrib.auth. However it doesn't do anything for the custom otp authorization page.
From my research I suppose the custom login method should be decorated with @watch_login from defender.decorators. But I have no clue which method should that be (possibly one from django-otp?) nor how to override this method with the decorator in my code.
By the way - the django-two-factor-auth is already utilizing some kind of preventing brute force attacks - the screen where you submit google authorization code is correctly locking out after a few tries. However the first 'standard' login page does not utilize that feature.
If django-defender is not the right method to do this I am open to any other suggestions.
I was not able to make django-defender work with my project.
However using django-axes which django-defender is based on worked plug-and-play.
The way to make custom login views work for django-defender is the @watch_login decorator, where for django-axes it is passing the request to the authenticate function (from django-axes docs):
tl;dr - to make django-two-factor-auth protected from brute force attacks is to use django-axes.