.. image:: https://img.shields.io/badge/license-LGPL--3-blue.svg :target: http://www.gnu.org/licenses/lgpl.html :alt: License: LGPL-3 ==================== MFA Support via TOTP ==================== This module adds support for MFA using TOTP (time-based, one-time passwords). It allows users to enable/disable MFA and manage authentication apps/devices via the "Change My Preferences" view and an associated wizard. After logging in normally, users with MFA enabled are taken to a second screen where they have to enter a password generated by one of their authentication apps and are presented with the option to remember the current device. This creates a secure, HTTP-only cookie that allows subsequent logins to bypass the MFA step. Installation ============ 1. Install the PyOTP library using pip: ``pip install pyotp`` 2. Follow the standard module install process Configuration ============= By default, the trusted device cookies introduced by this module have a ``Secure`` flag and can only be sent via HTTPS. You can disable this by going to ``Settings > Parameters > System Parameters`` and changing the ``auth_totp.secure_cookie`` key to ``0``, but this is not recommended in production as it increases the likelihood of cookie theft via eavesdropping. Usage ===== Install and enjoy. .. image:: https://odoo-community.org/website/image/ir.attachment/5784_f2813bd/datas :alt: Try me on Runbot :target: https://runbot.odoo-community.org/runbot/149/10.0 Known Issues / Roadmap ====================== Known Issues ------------ * The module does not uninstall cleanly due to an Odoo bug, leaving the ``res.users.authenticator`` and ``res.users.device`` models partially in place. This may be addressed at a later time via an Odoo fix or by adding custom uninstall logic via an uninstall hook. Roadmap ------- * Make the various durations associated with the module configurable. They are currently hard-coded as follows: * 15 minutes to enter an MFA confirmation code after a password log in * 30 days before the MFA session expires and the user has to log in again * 30 days before the trusted device cookie expires * Add logic to extend an MFA user's session each time it's validated, effectively keeping it alive indefinitely as long as the user remains active * Add device fingerprinting to the trusted device cookie and provide a way to revoke trusted devices * Add company-level settings for forcing all users to enable MFA and disabling the trusted device option Bug Tracker =========== Bugs are tracked on `GitHub Issues <https://github.com/OCA/server-tools/issues>`_. In case of trouble, please check there if your issue has already been reported. If you spotted it first, help us smash it by providing detailed and welcomed feedback. Credits ======= Images ------ * Odoo Community Association: `Icon <https://github.com/OCA/maintainer-tools/blob/master/template/module/static/description/icon.svg>`_. Contributors ------------ * Oleg Bulkin <obulkin@laslabs.com> Maintainer ---------- .. image:: https://odoo-community.org/logo.png :alt: Odoo Community Association :target: https://odoo-community.org This module is maintained by the OCA. OCA, or the Odoo Community Association, is a nonprofit organization whose mission is to support the collaborative development of Odoo features and promote its widespread use. To contribute to this module, please visit https://odoo-community.org.