MFA Support

MFA Support

MFA Support via TOTP

This module adds support for MFA using TOTP (time-based, one-time passwords). It allows users to enable/disable MFA and manage authentication apps/devices via the "Change My Preferences" view and an associated wizard.

After logging in normally, users with MFA enabled are taken to a second screen where they have to enter a password generated by one of their authentication apps and are presented with the option to remember the current device. This creates a secure, HTTP-only cookie that allows subsequent logins to bypass the MFA step.


  1. Install the PyOTP library using pip: pip install pyotp
  2. Follow the standard module install process


By default, the trusted device cookies introduced by this module have a Secure flag and can only be sent via HTTPS. You can disable this by going to Settings > Parameters > System Parameters and changing the auth_totp.secure_cookie key to 0, but this is not recommended in production as it increases the likelihood of cookie theft via eavesdropping.


Install and enjoy.

Try me on Runbot

Known Issues / Roadmap

Known Issues

  • The module does not uninstall cleanly due to an Odoo bug, leaving the res.users.authenticator and res.users.device models partially in place. This may be addressed at a later time via an Odoo fix or by adding custom uninstall logic via an uninstall hook.


  • Make the various durations associated with the module configurable. They are currently hard-coded as follows:
    • 15 minutes to enter an MFA confirmation code after a password log in
    • 30 days before the MFA session expires and the user has to log in again
    • 30 days before the trusted device cookie expires
  • Add logic to extend an MFA user's session each time it's validated, effectively keeping it alive indefinitely as long as the user remains active
  • Add device fingerprinting to the trusted device cookie and provide a way to revoke trusted devices
  • Add company-level settings for forcing all users to enable MFA and disabling the trusted device option

Bug Tracker

Bugs are tracked on . In case of trouble, please check there if your issue has already been reported. If you spotted it first, help us smash it by providing detailed and welcomed feedback.



  • Odoo Community Association: .


  • Oleg Bulkin <>


Odoo Community Association

This module is maintained by the OCA.

OCA, or the Odoo Community Association, is a nonprofit organization whose mission is to support the collaborative development of Odoo features and promote its widespread use.

To contribute to this module, please visit .