You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
Jordi Ballester Alomar 04e242e87c Merge pull request #933 from Eficent/9.0-mail_log_messages_to_process 7 years ago
..
controllers [FIX] auth_totp: Firefox support 7 years ago
data [9.0][ADD] auth_totp: MFA Support (#687) 8 years ago
i18n OCA Transbot updated translations from Transifex 7 years ago
models Merge pull request #933 from Eficent/9.0-mail_log_messages_to_process 7 years ago
security Merge pull request #933 from Eficent/9.0-mail_log_messages_to_process 7 years ago
static/description [9.0][FIX][IMP] Backport of auth_totp bug fixes and improvements from v10 PR (#898) 8 years ago
tests [FIX] auth_totp: Firefox support 7 years ago
views [9.0][FIX][IMP] Backport of auth_totp bug fixes and improvements from v10 PR (#898) 8 years ago
wizards [9.0][FIX][IMP] Backport of auth_totp bug fixes and improvements from v10 PR (#898) 8 years ago
README.rst [9.0][FIX][IMP] Backport of auth_totp bug fixes and improvements from v10 PR (#898) 8 years ago
__init__.py [9.0][ADD] auth_totp: MFA Support (#687) 8 years ago
__openerp__.py [9.0][ADD] auth_totp: MFA Support (#687) 8 years ago
exceptions.py [9.0][ADD] auth_totp: MFA Support (#687) 8 years ago

README.rst

.. image:: https://img.shields.io/badge/license-LGPL--3-blue.svg
:target: http://www.gnu.org/licenses/lgpl.html
:alt: License: LGPL-3

====================
MFA Support via TOTP
====================

This module adds support for MFA using TOTP (time-based, one-time passwords).
It allows users to enable/disable MFA and manage authentication apps/devices
via the "Change My Preferences" view and an associated wizard.

After logging in normally, users with MFA enabled are taken to a second screen
where they have to enter a password generated by one of their authentication
apps and are presented with the option to remember the current device. This
creates a secure, HTTP-only cookie that allows subsequent logins to bypass the
MFA step.

Installation
============

1. Install the PyOTP library using pip: ``pip install pyotp``
2. Follow the standard module install process

Configuration
=============

By default, the trusted device cookies introduced by this module have a
``Secure`` flag and can only be sent via HTTPS. You can disable this by going
to ``Settings > Parameters > System Parameters`` and changing the
``auth_totp.secure_cookie`` key to ``0``, but this is not recommended in
production as it increases the likelihood of cookie theft via eavesdropping.

Usage
=====

Install and enjoy.

.. image:: https://odoo-community.org/website/image/ir.attachment/5784_f2813bd/datas
:alt: Try me on Runbot
:target: https://runbot.odoo-community.org/runbot/149/9.0

Known Issues / Roadmap
======================

Known Issues
------------

* The module does not uninstall cleanly due to an Odoo bug, leaving the
``res.users.authenticator`` and ``res.users.device`` models partially in
place. This may be addressed at a later time via an Odoo fix or by adding
custom uninstall logic via an uninstall hook.

Roadmap
-------

* Make the various durations associated with the module configurable. They are
currently hard-coded as follows:

* 15 minutes to enter an MFA confirmation code after a password log in
* 30 days before the MFA session expires and the user has to log in again
* 30 days before the trusted device cookie expires

* Add logic to extend an MFA user's session each time it's validated,
effectively keeping it alive indefinitely as long as the user remains active
* Add device fingerprinting to the trusted device cookie and provide a way to
revoke trusted devices
* Add company-level settings for forcing all users to enable MFA and disabling
the trusted device option

Bug Tracker
===========

Bugs are tracked on `GitHub Issues
<https://github.com/OCA/server-tools/issues>`_. In case of trouble, please
check there if your issue has already been reported. If you spotted it first,
help us smash it by providing detailed and welcomed feedback.

Credits
=======

Images
------

* Odoo Community Association: `Icon <https://github.com/OCA/maintainer-tools/blob/master/template/module/static/description/icon.svg>`_.

Contributors
------------

* Oleg Bulkin <obulkin@laslabs.com>

Maintainer
----------

.. image:: https://odoo-community.org/logo.png
:alt: Odoo Community Association
:target: https://odoo-community.org

This module is maintained by the OCA.

OCA, or the Odoo Community Association, is a nonprofit organization whose
mission is to support the collaborative development of Odoo features and
promote its widespread use.

To contribute to this module, please visit https://odoo-community.org.