You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

101 lines
3.2 KiB

  1. .. image:: https://img.shields.io/badge/license-LGPL--3-blue.svg
  2. :target: http://www.gnu.org/licenses/lgpl.html
  3. :alt: License: LGPL-3
  4. ====================
  5. MFA Support via TOTP
  6. ====================
  7. This module adds support for MFA using TOTP (time-based, one-time passwords).
  8. It allows users to enable/disable MFA and manage authentication apps/devices
  9. via the "Change My Preferences" view and an associated wizard.
  10. After logging in normally, users with MFA enabled are taken to a second screen
  11. where they have to enter a password generated by one of their authentication
  12. apps and are presented with the option to remember the current device. This
  13. creates a secure, HTTP-only cookie that allows subsequent logins to bypass the
  14. MFA step.
  15. Installation
  16. ============
  17. 1. Install the PyOTP library using pip: ``pip install pyotp``
  18. 2. Follow the standard module install process
  19. Configuration
  20. =============
  21. By default, the trusted device cookies introduced by this module have a
  22. ``Secure`` flag. This decreases the likelihood of cookie theft via
  23. eavesdropping but may result in cookies not being set by certain browsers
  24. unless your Odoo instance uses HTTPS. If necessary, you can disable this flag
  25. by going to ``Settings > Parameters > System Parameters`` and changing the
  26. ``auth_totp.secure_cookie`` key to ``0``.
  27. Usage
  28. =====
  29. If necessary, a user's trusted devices can be revoked by disabling and
  30. re-enabling MFA for that user.
  31. .. image:: https://odoo-community.org/website/image/ir.attachment/5784_f2813bd/datas
  32. :alt: Try me on Runbot
  33. :target: https://runbot.odoo-community.org/runbot/149/10.0
  34. Known Issues / Roadmap
  35. ======================
  36. Known Issues
  37. ------------
  38. * External calls to the Odoo XML-RPC API are blocked for users who enable MFA
  39. since there is currently no way to perform MFA authentication as part of this
  40. process. However, due to the way that Odoo handles authentication caching,
  41. multi-threaded or multi-process servers will need to be restarted before the
  42. block can take effect for users who have just enabled MFA.
  43. Roadmap
  44. -------
  45. * Make the lifetime of the trusted device cookie configurable rather than fixed
  46. at 30 days
  47. * Add device fingerprinting to the trusted device cookie
  48. * Add company-level settings for forcing all users to enable MFA and disabling
  49. the trusted device option
  50. Bug Tracker
  51. ===========
  52. Bugs are tracked on
  53. `GitHub Issues <https://github.com/OCA/server-tools/issues>`_. In case of
  54. trouble, please check there if your issue has already been reported. If you
  55. spotted it first, help us smash it by providing detailed and welcomed feedback.
  56. Credits
  57. =======
  58. Images
  59. ------
  60. * Odoo Community Association:
  61. `Icon <https://github.com/OCA/maintainer-tools/blob/master/template/module/static/description/icon.svg>`_.
  62. Contributors
  63. ------------
  64. * Oleg Bulkin <obulkin@laslabs.com>
  65. Maintainer
  66. ----------
  67. .. image:: https://odoo-community.org/logo.png
  68. :alt: Odoo Community Association
  69. :target: https://odoo-community.org
  70. This module is maintained by the OCA.
  71. OCA, or the Odoo Community Association, is a nonprofit organization whose
  72. mission is to support the collaborative development of Odoo features and
  73. promote its widespread use.
  74. To contribute to this module, please visit https://odoo-community.org.