Odoo 2FA Enforcement: Beyond Basic Password Security
Passwords alone aren't enough. Learn how to enforce two-factor authentication across your Odoo instance and why most implementations get it wrong.
Two-factor authentication (2FA) is one of the most effective security controls you can implement — it blocks over 99% of automated credential attacks. Odoo has supported TOTP-based 2FA since version 15, but most instances don't enforce it, and many implementations have gaps.
The Enforcement Gap
Odoo's 2FA is opt-in by default. Users can choose to enable it, but they're not required to. This creates a false sense of security: your admin users might have 2FA enabled, but the sales team, accounting staff, and portal users probably don't.
How to Enforce 2FA Organization-Wide
Internal Users
Install the auth_totp module (included in Odoo core from v15+). To enforce it for all internal users, you need a custom module that overrides the login flow to require TOTP setup on first login. Several community modules provide this — look for auth_totp_mandatory.
💡 Want to check your Odoo instance for the issues described above? NonaGuard's automated security audit covers all of these checks and more — in under 60 seconds.
API Access
TOTP doesn't apply to XML-RPC or JSON-RPC API access — these use passwords or API keys directly. If you enforce 2FA for web login but leave API access unprotected, attackers will simply target the API endpoints instead. Use IP whitelisting for API access as a compensating control.
Portal Users
Portal users (customers, vendors) have their own authentication flow. Enforcing 2FA for portal users adds friction but is appropriate for portals that expose sensitive financial or contractual data.
Common Implementation Mistakes
- Enabling 2FA for admins but not for users with access to sensitive data (accounting, HR)
- Not providing backup recovery codes — users who lose their authenticator device get locked out
- Forgetting that shared devices (warehouse terminals, kiosks) may not support TOTP apps
NonaGuard's security scanner checks 2FA adoption across all user accounts and flags users with elevated privileges who haven't enabled it. Check your 2FA coverage.
🛡️ Check Your Odoo Security Posture
NonaGuard scans for permission vulnerabilities, exposed API surfaces, missing 2FA, and 200+ other security checks. Get your security score in under 60 seconds.
