Allows users to enable MFA and add optional trusted devices
Project description
MFA Support via TOTP
This module adds support for MFA using TOTP (time-based, one-time passwords). It allows users to enable/disable MFA and manage authentication apps/devices via the “Change My Preferences” view and an associated wizard.
After logging in normally, users with MFA enabled are taken to a second screen where they have to enter a password generated by one of their authentication apps and are presented with the option to remember the current device. This creates a secure, HTTP-only cookie that allows subsequent logins to bypass the MFA step.
Installation
Install the PyOTP library using pip: pip install pyotp
Follow the standard module install process
Configuration
By default, the trusted device cookies introduced by this module have a Secure flag and can only be sent via HTTPS. You can disable this by going to Settings > Parameters > System Parameters and changing the auth_totp.secure_cookie key to 0, but this is not recommended in production as it increases the likelihood of cookie theft via eavesdropping.
Usage
Install and enjoy.
Known Issues / Roadmap
Known Issues
The module does not uninstall cleanly due to an Odoo bug, leaving the res.users.authenticator and res.users.device models partially in place. This may be addressed at a later time via an Odoo fix or by adding custom uninstall logic via an uninstall hook.
Roadmap
Make the various durations associated with the module configurable. They are currently hard-coded as follows:
15 minutes to enter an MFA confirmation code after a password log in
30 days before the MFA session expires and the user has to log in again
30 days before the trusted device cookie expires
Add logic to extend an MFA user’s session each time it’s validated, effectively keeping it alive indefinitely as long as the user remains active
Add device fingerprinting to the trusted device cookie and provide a way to revoke trusted devices
Add company-level settings for forcing all users to enable MFA and disabling the trusted device option
Bug Tracker
Bugs are tracked on GitHub Issues. In case of trouble, please check there if your issue has already been reported. If you spotted it first, help us smash it by providing detailed and welcomed feedback.
Credits
Images
Odoo Community Association: Icon.
Contributors
Oleg Bulkin <obulkin@laslabs.com>
Maintainer
This module is maintained by the OCA.
OCA, or the Odoo Community Association, is a nonprofit organization whose mission is to support the collaborative development of Odoo features and promote its widespread use.
To contribute to this module, please visit https://odoo-community.org.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distributions
Built Distribution
File details
Details for the file odoo9_addon_auth_totp-9.0.1.0.1-py2-none-any.whl
.
File metadata
- Download URL: odoo9_addon_auth_totp-9.0.1.0.1-py2-none-any.whl
- Upload date:
- Size: 186.0 kB
- Tags: Python 2
- Uploaded using Trusted Publishing? No
File hashes
Algorithm | Hash digest | |
---|---|---|
SHA256 | bc26afa3150230a3aa29ca946de840856123227e6cc617e08896abc26506f5c3 |
|
MD5 | d5710d16a38960feb11777ca951e6492 |
|
BLAKE2b-256 | dd59c5b8355f5fd4324c1da3bc2be9accd64fbf73bc793b0b36c394234288ee8 |