Skip to content

Latest commit

 

History

History
 
 

auth_totp

License: LGPL-3

MFA Support via TOTP

This module adds support for MFA using TOTP (time-based, one-time passwords). It allows users to enable/disable MFA and manage authentication apps/devices via the "Change My Preferences" view and an associated wizard.

After logging in normally, users with MFA enabled are taken to a second screen where they have to enter a password generated by one of their authentication apps and are presented with the option to remember the current device. This creates a secure, HTTP-only cookie that allows subsequent logins to bypass the MFA step.

Installation

  1. Install the PyOTP library using pip: pip install pyotp
  2. Follow the standard module install process

Configuration

By default, the trusted device cookies introduced by this module have a Secure flag and can only be sent via HTTPS. You can disable this by going to Settings > Parameters > System Parameters and changing the auth_totp.secure_cookie key to 0, but this is not recommended in production as it increases the likelihood of cookie theft via eavesdropping.

Usage

Install and enjoy.

Try me on Runbot

Known Issues / Roadmap

Known Issues

  • The module does not uninstall cleanly due to an Odoo bug, leaving the res.users.authenticator and res.users.device models partially in place. This may be addressed at a later time via an Odoo fix or by adding custom uninstall logic via an uninstall hook.

Roadmap

  • Make the various durations associated with the module configurable. They are currently hard-coded as follows:
    • 15 minutes to enter an MFA confirmation code after a password log in
    • 30 days before the MFA session expires and the user has to log in again
    • 30 days before the trusted device cookie expires
  • Add logic to extend an MFA user's session each time it's validated, effectively keeping it alive indefinitely as long as the user remains active
  • Add device fingerprinting to the trusted device cookie and provide a way to revoke trusted devices
  • Add company-level settings for forcing all users to enable MFA and disabling the trusted device option

Bug Tracker

Bugs are tracked on GitHub Issues. In case of trouble, please check there if your issue has already been reported. If you spotted it first, help us smash it by providing detailed and welcomed feedback.

Credits

Images

  • Odoo Community Association: Icon.

Contributors

Maintainer

Odoo Community Association

This module is maintained by the OCA.

OCA, or the Odoo Community Association, is a nonprofit organization whose mission is to support the collaborative development of Odoo features and promote its widespread use.

To contribute to this module, please visit https://odoo-community.org.