Skip to Content

Forced Two-Factor Authentication (2FA)

by
Odoo
v 19.0 Third Party 68
Download for v 19.0 Deploy on Odoo.sh
Availability
Odoo Online
Odoo.sh
On Premise
Lines of code 238
Technical Name kw_2fa
LicenseLGPL-3
Websitehttps://kitworks.systems/
Versions 18.0 19.0
You bought this module and need support? Click here!
Availability
Odoo Online
Odoo.sh
On Premise
Lines of code 238
Technical Name kw_2fa
LicenseLGPL-3
Websitehttps://kitworks.systems/
Versions 18.0 19.0

What this module does

Forces every user to enable TOTP two-factor authentication on first login. Blocks system access until 2FA is configured. Compatible with any standard authenticator app.

Mandatory enrollment

Every user must configure TOTP before accessing the system. Existing users are prompted on next login.

Standard authenticator apps

Works with Google Authenticator, Microsoft Authenticator, Authy and any RFC 6238 compatible app.

Block until enabled

Login is denied with a clear message until 2FA setup is complete. No backdoor for unenrolled accounts.

Audit-friendly

Built on top of the standard auth_totp module so all enrolment history flows through native logs.

See it in action

Authenticator app setup page with QR code on first login

First login forces TOTP enrolment. Scan once with any authenticator and you are in.

Need help?

Questions, customisation or paid support — we’ll get back the same business day.

info@kitworks.systems

Please log in to comment on this module

  • The author can leave a single reply to each comment.
  • This section is meant to ask simple questions or leave a rating. Every report of a problem experienced while using the module should be addressed to the author directly (refer to the following point).
  • If you want to start a discussion with the author, please use the developer contact information. They can usually be found in the description.
How to use this app after install/activate
by
Faisal Khan
on 5/28/26, 12:31 PM

is there any documentation on how to use i?

I really dont see any difference.  Odoo already have google authenticator.  So why would I need this? How do I change settings or enforce your app to makesure authenticator is enforced

How to use this app after install/activate
by
Vladimir Karabanov
on 5/29/26, 6:14 AM Author

What kw_2fa does vs. Odoo's built-in TOTP

Odoo's built-in auth_totp (which this module builds on) gives users an option to enable 2FA. Each user can choose to enable or skip it via their profile settings. Admins can suggest it but cannot truly force it.

kw_2fa enforces it — no opt-out. That's the entire point.

FeatureOdoo built-inkw_2fa
TOTP support (Google Auth, etc.)✅ (same apps work)
User can skip 2FA❌ — blocked
Redirect to setup on first login
"Trusted device" / remember me❌ — code every login
Admin can bypassoptional✅ (admin root only)
Any config needed after installNone

How enforcement works

The key override is in models/res_users.py:22-25:

def _mfa_type(self):
    if self.id == self.env.ref('base.user_root').id:
        return super()._mfa_type()  # admin can bypass
    return 'totp'  # everyone else: TOTP forced

And line 27-29:

def _mfa_url(self):
    if not self.totp_enabled:
        return '/kw_2fa/setup_totp'  # redirect to QR setup, not login

So:

  1. Any user without TOTP set up → intercepted after password login → sent to QR code setup page
  2. Any user with TOTP set up → must enter code on every login (no skip, no remember)

Settings / Configuration

There are no UI settings to toggle — enforcement is absolute by design. The only things you can change are in the source code:

  • To also enforce on admin: remove the if self.id == ... guard in _mfa_type()
  • To exclude specific users: add additional conditions to _mfa_type()

To use it: install the module. That's it — it activates immediately for all non-admin users.

How to use this app after install/activate
by
Faisal Khan
on 5/28/26, 12:31 PM

is there any documentation on how to use i?

I really dont see any difference.  Odoo already have google authenticator.  So why would I need this? How do I change settings or enforce your app to makesure authenticator is enforced

How to use this app after install/activate
by
Faisal Khan
on 5/28/26, 12:31 PM

is there any documentation on how to use i?

I really dont see any difference.  Odoo already have google authenticator.  So why would I need this? How do I change settings or enforce your app to makesure authenticator is enforced