Skip to main content

Allows users to enable MFA and add optional trusted devices

Project description

License: LGPL-3

MFA Support via TOTP

This module adds support for MFA using TOTP (time-based, one-time passwords). It allows users to enable/disable MFA and manage authentication apps/devices via the “Change My Preferences” view and an associated wizard.

After logging in normally, users with MFA enabled are taken to a second screen where they have to enter a password generated by one of their authentication apps and are presented with the option to remember the current device. This creates a secure, HTTP-only cookie that allows subsequent logins to bypass the MFA step.


  1. Install the PyOTP library using pip: pip install pyotp
  2. Follow the standard module install process


By default, the trusted device cookies introduced by this module have a Secure flag and can only be sent via HTTPS. You can disable this by going to Settings > Parameters > System Parameters and changing the auth_totp.secure_cookie key to 0, but this is not recommended in production as it increases the likelihood of cookie theft via eavesdropping.


Install and enjoy.

Try me on Runbot

Known Issues / Roadmap

Known Issues

  • The module does not uninstall cleanly due to an Odoo bug, leaving the res.users.authenticator and res.users.device models partially in place. This may be addressed at a later time via an Odoo fix or by adding custom uninstall logic via an uninstall hook.


  • Make the various durations associated with the module configurable. They are currently hard-coded as follows:
    • 15 minutes to enter an MFA confirmation code after a password log in
    • 30 days before the MFA session expires and the user has to log in again
    • 30 days before the trusted device cookie expires
  • Add logic to extend an MFA user’s session each time it’s validated, effectively keeping it alive indefinitely as long as the user remains active
  • Add device fingerprinting to the trusted device cookie and provide a way to revoke trusted devices
  • Add company-level settings for forcing all users to enable MFA and disabling the trusted device option

Bug Tracker

Bugs are tracked on GitHub Issues. In case of trouble, please check there if your issue has already been reported. If you spotted it first, help us smash it by providing detailed and welcomed feedback.



  • Odoo Community Association: Icon.



Odoo Community Association

This module is maintained by the OCA.

OCA, or the Odoo Community Association, is a nonprofit organization whose mission is to support the collaborative development of Odoo features and promote its widespread use.

To contribute to this module, please visit

Project details

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Files for odoo10-addon-auth-totp, version
Filename, size File type Python version Upload date Hashes
Filename, size odoo10_addon_auth_totp- (187.9 kB) File type Wheel Python version py2 Upload date Hashes View

Supported by

Pingdom Pingdom Monitoring Google Google Object Storage and Download Analytics Sentry Sentry Error logging AWS AWS Cloud computing DataDog DataDog Monitoring Fastly Fastly CDN DigiCert DigiCert EV certificate StatusPage StatusPage Status page