Enabling Two-Factor Authentication

Two-Factor Authentication (2FA) Setup

Enhance your account security by enabling two-factor authentication for an extra layer of protection.

What is Two-Factor Authentication?

Two-factor authentication adds an extra security step to your login process. In addition to your password, you'll need to provide a second form of verification, typically a code from your smartphone.

Supported Authentication Methods

• TOTP Apps: Google Authenticator, Authy, Microsoft Authenticator
• SMS: Text message codes (less secure, not recommended)
• Email: Email verification codes
• Hardware Keys: FIDO2/WebAuthn security keys (enterprise only)

Setting Up TOTP (Recommended)

Step 1: Install Authenticator App

Download one of these apps on your smartphone:

• Google Authenticator: Free, simple, reliable
• Authy: Cloud backup, multi-device sync
• Microsoft Authenticator: Push notifications, backup
• 1Password: Integrated with password manager

Step 2: Enable 2FA in Odoo

1. Click your profile picture > "Preferences"
2. Go to "Account Security" tab
3. Click "Enable Two-Factor Authentication"
4. Select "TOTP (Authenticator App)"
5. Scan the QR code with your authenticator app
6. Enter the 6-digit code from your app
7. Save your recovery codes in a safe place
8. Click "Confirm Setup"

Logging In with 2FA

1. Enter your username and password normally
2. You'll see a 2FA verification screen
3. Open your authenticator app
4. Enter the current 6-digit code
5. Click "Verify"

Recovery Codes

Important: Save your recovery codes securely!

• Each code can only be used once
• Use them if you lose access to your phone
• Store them in a password manager or secure location
• Generate new codes periodically

Using Recovery Codes

1. On the 2FA verification screen
2. Click "Use Recovery Code"
3. Enter one of your backup codes
4. Set up 2FA again immediately after logging in

Managing 2FA Settings

Regenerate Recovery Codes

1. Go to Preferences > Account Security
2. Click "Regenerate Recovery Codes"
3. Save the new codes securely
4. Old codes become invalid

Change Authenticator Device

1. Disable 2FA temporarily
2. Set up 2FA again with new device
3. Generate new recovery codes

Disable 2FA

1. Go to Preferences > Account Security
2. Click "Disable Two-Factor Authentication"
3. Enter your current 2FA code
4. Confirm disabling

Organization-Wide 2FA Policy

Administrators can enforce 2FA for all users:

1. Go to Settings > Users & Companies > Users
2. Click "Security Settings"
3. Enable "Require 2FA for all users"
4. Set grace period for existing users
5. Configure exemptions if needed

Troubleshooting 2FA

Code Not Working

• Check your device's time is correct
• Ensure you're using the latest code
• Try syncing your authenticator app
• Use a recovery code if available

Lost Phone/Authenticator

• Use a recovery code to log in
• Immediately set up 2FA on new device
• Contact admin if no recovery codes available
• Admin can temporarily disable 2FA for recovery

App Sync Issues

• Manually sync time in authenticator app
• Remove and re-add the account in app
• Try a different authenticator app
• Check if QR code was scanned correctly

Security Best Practices

• Use TOTP: More secure than SMS
• Backup Codes: Store securely offline
• Multiple Devices: Set up authenticator on backup device
• Regular Updates: Keep authenticator apps updated
• Device Security: Use device lock screen protection
• Recovery Plan: Have a plan for device loss

Getting Help

If you're locked out of your account:

• Try using recovery codes first
• Contact your system administrator
• For urgent access, call our security helpline
• Have your user ID and recent login details ready