SHA-256 Hashed OTP Storage

The raw 6-digit code is never persisted. Only its SHA-256 hash is stored — plaintext is gone the moment it's sent.

Dual Verification Modes

OTP (user types a 6-digit code) or Link (user clicks a tokenised URL). Both share the same secret — switchable without code changes.

Configurable Expiry Window

Both OTPs and links expire after a configurable number of hours (default 24h). Controlled via Validation Expiration (Hrs) in Website Settings.

Attempt-Based Blocking

Wrong OTP submissions increment a per-user counter. When the configured maximum is hit (default 3), the user is blocked to the error/resend page.

60-Second Resend Cooldown

The resend route checks otp_last_sent on the user record. Requests within 60 seconds are rejected, preventing OTP-flood attacks.

Intercepts Signup & Login

New users caught at /web/signup. Existing unverified portal users intercepted at /web/login post-auth and sent through the same flow.

Portal-Only Enforcement

System/admin users bypass verification entirely via _is_system(), keeping your Odoo backend operations completely unaffected.

Enable / Disable Toggle

Set to OTP, Link, or Disable from Website → Configuration → Settings. When re-enabled, all unverified users must verify on next login.

Admin Manual Verification

Administrators can flip verified = True directly from the backend user form — no email flow required — for edge cases or support.

Branded Email Templates

One mail.template powers both modes — OTP block or link button. Company logo, name, phone, and email auto-populated via QWeb.

Theme-Compatible UI

All verification pages extend web.login_layout, inheriting your active Odoo website theme. No custom CSS overrides required.

Anti-Bot Registration

Automated signups that don't control the registered inbox are silently dead — they complete the form but can never complete verification.