Two-factor authentication

Two-factor authentication (2FA) is a way to improve security, and prevent unauthorized persons from accessing user accounts.

Practically, 2FA means storing a secret inside an authenticator, usually on a mobile phone, and exchanging a code from the authenticator when trying to log in.

This means an unauthorized user would need to guess the account password and have access to the authenticator, which is a more difficult proposition.

Requirements

Important

These lists are just examples. They are not endorsements of any specific software.

Phone-based authenticators are the easiest and most commonly used. Examples include:

Password managers are another option. Common examples include:

Note

The remainder of this document uses Google Authenticator as an example, as it is one of the most commonly used. This is not an endorsement of the product.

Two-factor authentication setup

After selecting an authenticator, log in to Odoo, then click the profile avatar in the upper-right corner, and select My Profile from the resulting drop-down menu.

Click the Account Security tab, then slide the Two-Factor Authentication toggle to active.

../../../_images/account-security.png

This generates a Security Control pop-up window that requires password confirmation to continue. Enter the appropriate password, then click Confirm Password. Next, a Two-Factor Authentication Activation pop-up window appears, with a QR code.

../../../_images/qr-code.png

Using the desired authenticator application, scan the QR code when prompted.

Tip

If scanning the screen is not possible (e.g. the setup is being completed on the same device as the authenticator application), clicking the provided Cannot scan it? link, or copying the secret to manually set up the authenticator, is an alternative.

../../../_images/secret-visible.png
../../../_images/input-secret.png

Afterwards, the authenticator should display a verification code.

../../../_images/authenticator.png

Enter the code into the Verification Code field, then click Activate.

../../../_images/2fa-enabled.png

Logging in

To confirm 2FA setup is complete, log out of Odoo.

On the login page, input the username and password, then click Log in. On the Two-factor Authentication page, input the code provided by the chosen authenticator in the Authentication Code field, then click Log in.

The login page with 2fa enabled.

Danger

If a user loses access to their authenticator, an administrator must deactivate 2FA on the account before the user can log in.

Enforce two-factor authentication

To enforce the use of 2FA for all users, first navigate to Main Odoo Dashboard ‣ Apps. Remove the Apps filter from the Search… bar, then search for 2FA by mail.

Click Install on the Kanban card for the 2FA by mail module.

The 2FA by mail module in the Apps directory.

After installation is complete, go to Settings app: Permissions. Tick the checkbox labeled, Enforce two-factor authentication. Then, use the radio buttons to choose whether to apply this setting to Employees only, or All users.

Note

Selecting All users applies the setting to portal users, in addition to employees.

The enforce two factor setting in the Settings application.

Click Save to commit any unsaved changes.