Two-Factor Authentication (TOTP)
by Roy Le https://www.odoo.com/documentation/user/14.0/general/auth/2fa.html$ 67.94
| Availability |
Odoo Online
Odoo.sh
On Premise
|
| Lines of code | 474 |
| Technical Name |
rl_auth_totp |
| License | OPL-1 |
| Website | https://www.odoo.com/documentation/user/14.0/general/auth/2fa.html |
| Versions | 12.0 13.0 |
| Availability |
Odoo Online
Odoo.sh
On Premise
|
| Lines of code | 474 |
| Technical Name |
rl_auth_totp |
| License | OPL-1 |
| Website | https://www.odoo.com/documentation/user/14.0/general/auth/2fa.html |
| Versions | 12.0 13.0 |
Two-Factor Authentication (TOTP)
Installation
- 1. Navigate to Apps
- 2. Find with keyword 'rl_auth_totp'
- 3. Install it as usual then you are done
Concepts
Two-factor authentication ("2FA") is a good way to improve the security of an account, to make it less likely that an other person will manage to log in instead of you.
Practically, it means storing a secret inside an authenticator (usually your cell phone) and exchanging a code from the authenticator when you try to log in.
This means an attacker needs both to have guessed (or found) your password and to access (or steal) your authenticator, a more difficult proposition than either one or the other.
Key Features
Allows users to configure two-factor authentication on their user account for extra security, using time-based one-time passwords (TOTP).
Once enabled, the user will need to enter a 6-digit code as provided by their authenticator app before being granted access to the system. All popular authenticator apps are supported.
Note: logically, two-factor prevents password-based RPC access for users where it is enabled. In order to be able to execute RPC scripts, the user can setup API keys to replace their main password.
Requirements
Note
These lists are just examples, they are not endorsements of any specific software.
If you don't already have one, you will need to choose an authenticator.
Phone-based authenticators are the easiest and most common so we will assume you'll pick and install one on your phone, examples include Authy, FreeOTP, Google Authenticator, LastPass Authenticator, Microsoft Authenticator, ...; password managers also commonly include 2FA (two-factor authentication) support e.g. 1Password, Bitwarden, ...
For the sake of demonstration we will be using Google Authenticator (not because it is any good but because it is quite common).
Setting up two-factor authentication
Once you have your authenticator of choice, go to the Odoo instance you want to setup 2FA (two-factor authentication), then open Preferences (or My Profile):
Open the Account Security tab, then click the Enable two-factor authentication button:
Because this is a security-sensitive action, you will need to input your password:
After which you will see this screen with a barcode:
In most applications, you can simply scan the barcode via the authenticator of your choice, the authenticator will then take care of all the setup:
Note
If you can not scan the screen (e.g. because you are doing this set-up on the same phone as the authenticator application), you can click the provided link, or copy the secret to manually set-up your authenticator:
Once this is done, the authenticator should display a verification code with some useful identifying information (e.g. the domain and login for which the code is):
You can now input the code into the Verification Code field, then click the Enable two-factor authentication button.
Congratulation, your account is now protected by two-factor authentication!
Logging in
You should now Log out to follow along.
On the login page, input the username and password of the account for which you set up 2FA (two-factor authentication), rather than immediately enter Odoo you will now get a second log-in screen:
Get your authenticator, input the code it provides for the domain and account, validate, and you're now in.
And that's it. From now on, unless you disable 2FA (two-factor authentication) you will have a two-step log-in process rather than the old one-step process.
!DANGER!
Don't lose your authenticator, if you do, you will need an Odoo Administrator to disable 2FA (two-factor authentication) on the account.
Two-Factor Authentication (TOTP)
Installation
- Navigate to Apps
- Find with keyword 'rl_auth_totp'
- Install it as usual then you are done
Two-Factor Authentication (TOTP)
Concepts
Two-factor authentication ("2FA") is a good way to improve the security of an account, to make it less likely that an other person will manage to log in instead of you.
Practically, it means storing a secret inside an authenticator (usually your cell phone) and exchanging a code from the authenticator when you try to log in.
This means an attacker needs both to have guessed (or found) your password and to access (or steal) your authenticator, a more difficult proposition than either one or the other.
Key Features
Allows users to configure two-factor authentication on their user account for extra security, using time-based one-time passwords (TOTP).
Once enabled, the user will need to enter a 6-digit code as provided by their authenticator app before being granted access to the system. All popular authenticator apps are supported.
Note: logically, two-factor prevents password-based RPC access for users where it is enabled. In order to be able to execute RPC scripts, the user can setup API keys to replace their main password.
Requirements
Note
These lists are just examples, they are not endorsements of any specific software.
If you don't already have one, you will need to choose an authenticator.
Phone-based authenticators are the easiest and most common so we will assume you'll pick and install one on your phone, examples include Authy, FreeOTP, Google Authenticator, LastPass Authenticator, Microsoft Authenticator, ...; password managers also commonly include :abbr:`2FA (two-factor authentication)` support e.g. 1Password, Bitwarden, ...
For the sake of demonstration we will be using Google Authenticator (not because it is any good but because it is quite common).
Setting up two-factor authentication
Once you have your authenticator of choice, go to the Odoo instance you want to setup :abbr:`2FA (two-factor authentication)`, then open :guilabel:`Preferences` (or :guilabel:`My Profile`):
Open the :guilabel:`Account Security` tab, then click the :guilabel:`Enable two-factor authentication` button:
Because this is a security-sensitive action, you will need to input your password:
After which you will see this screen with a barcode:
In most applications, you can simply scan the barcode via the authenticator of your choice, the authenticator will then take care of all the setup:
Note
If you can not scan the screen (e.g. because you are doing this set-up on the same phone as the authenticator application), you can click the provided link, or copy the secret to manually set-up your authenticator:
Once this is done, the authenticator should display a verification code with some useful identifying information (e.g. the domain and login for which the code is):
You can now input the code into the :guilabel:`Verification Code` field, then click the :guilabel:`Enable two-factor authentication` button.
Congratulation, your account is now protected by two-factor authentication!
Logging in
You should now :guilabel:`Log out` to follow along.
On the login page, input the username and password of the account for which you set up :abbr:`2FA (two-factor authentication)`, rather than immediately enter Odoo you will now get a second log-in screen:
Get your authenticator, input the code it provides for the domain and account, validate, and you're now in.
And that's it. From now on, unless you disable :abbr:`2FA (two-factor authentication)` you will have a two-step log-in process rather than the old one-step process.
!DANGER!
Don't lose your authenticator, if you do, you will need an Odoo Administrator to disable :abbr:`2FA (two-factor authentication)` on the account.
Odoo Proprietary License v1.0 This software and associated files (the "Software") may only be used (executed, modified, executed after modifications) if you have purchased a valid license from the authors, typically via Odoo Apps, or if you have received a written agreement from the authors of the Software (see the COPYRIGHT file). You may develop Odoo modules that use the Software as a library (typically by depending on it, importing it and using its resources), but without copying any source code or material from the Software. You may distribute those modules under the license of your choice, provided that this license is compatible with the terms of the Odoo Proprietary License (For example: LGPL, MIT, or proprietary licenses similar to this one). It is forbidden to publish, distribute, sublicense, or sell copies of the Software or modified copies of the Software. The above copyright notice and this permission notice must be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
Please log in to comment on this module