You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

105 lines
3.4 KiB

  1. .. image:: https://img.shields.io/badge/license-LGPL--3-blue.svg
  2. :target: http://www.gnu.org/licenses/lgpl.html
  3. :alt: License: LGPL-3
  4. ====================
  5. MFA Support via TOTP
  6. ====================
  7. This module adds support for MFA using TOTP (time-based, one-time passwords).
  8. It allows users to enable/disable MFA and manage authentication apps/devices
  9. via the "Change My Preferences" view and an associated wizard.
  10. After logging in normally, users with MFA enabled are taken to a second screen
  11. where they have to enter a password generated by one of their authentication
  12. apps and are presented with the option to remember the current device. This
  13. creates a secure, HTTP-only cookie that allows subsequent logins to bypass the
  14. MFA step.
  15. Installation
  16. ============
  17. 1. Install the PyOTP library using pip: ``pip install pyotp``
  18. 2. Follow the standard module install process
  19. Configuration
  20. =============
  21. By default, the trusted device cookies introduced by this module have a
  22. ``Secure`` flag and can only be sent via HTTPS. You can disable this by going
  23. to ``Settings > Parameters > System Parameters`` and changing the
  24. ``auth_totp.secure_cookie`` key to ``0``, but this is not recommended in
  25. production as it increases the likelihood of cookie theft via eavesdropping.
  26. Usage
  27. =====
  28. Install and enjoy.
  29. .. image:: https://odoo-community.org/website/image/ir.attachment/5784_f2813bd/datas
  30. :alt: Try me on Runbot
  31. :target: https://runbot.odoo-community.org/runbot/149/9.0
  32. Known Issues / Roadmap
  33. ======================
  34. Known Issues
  35. ------------
  36. * The module does not uninstall cleanly due to an Odoo bug, leaving the
  37. ``res.users.authenticator`` and ``res.users.device`` models partially in
  38. place. This may be addressed at a later time via an Odoo fix or by adding
  39. custom uninstall logic via an uninstall hook.
  40. Roadmap
  41. -------
  42. * Make the various durations associated with the module configurable. They are
  43. currently hard-coded as follows:
  44. * 15 minutes to enter an MFA confirmation code after a password log in
  45. * 30 days before the MFA session expires and the user has to log in again
  46. * 30 days before the trusted device cookie expires
  47. * Add logic to extend an MFA user's session each time it's validated,
  48. effectively keeping it alive indefinitely as long as the user remains active
  49. * Add device fingerprinting to the trusted device cookie and provide a way to
  50. revoke trusted devices
  51. * Add company-level settings for forcing all users to enable MFA and disabling
  52. the trusted device option
  53. Bug Tracker
  54. ===========
  55. Bugs are tracked on `GitHub Issues
  56. <https://github.com/OCA/server-tools/issues>`_. In case of trouble, please
  57. check there if your issue has already been reported. If you spotted it first,
  58. help us smash it by providing detailed and welcomed feedback.
  59. Credits
  60. =======
  61. Images
  62. ------
  63. * Odoo Community Association: `Icon <https://github.com/OCA/maintainer-tools/blob/master/template/module/static/description/icon.svg>`_.
  64. Contributors
  65. ------------
  66. * Oleg Bulkin <obulkin@laslabs.com>
  67. Maintainer
  68. ----------
  69. .. image:: https://odoo-community.org/logo.png
  70. :alt: Odoo Community Association
  71. :target: https://odoo-community.org
  72. This module is maintained by the OCA.
  73. OCA, or the Odoo Community Association, is a nonprofit organization whose
  74. mission is to support the collaborative development of Odoo features and
  75. promote its widespread use.
  76. To contribute to this module, please visit https://odoo-community.org.