The Complete Odoo 2FA Enforcement Guide: Secure Your ERP

Your Odoo instance is the central nervous system of your business, holding everything from financial records and customer data to proprietary product information. In this context, relying on password security alone is no longer a viable strategy. Credential stuffing and brute-force attacks are rampant, and a single compromised account can lead to a catastrophic data breach. This is where Two-Factor Authentication (2FA) becomes a non-negotiable security control.

While Odoo has included built-in support for Time-based One-Time Password (TOTP) 2FA since version 15, a critical gap exists in most deployments: it’s not enforced. This leaves the most effective defense against account takeover attacks sitting on the sidelines. This comprehensive Odoo 2FA enforcement guide will walk you through the why, what, and how of locking down your ERP, covering internal users, APIs, portal users, and the common mistakes to avoid.

Why Odoo's Default 2FA Isn't Enough: The Enforcement Gap

Odoo's core auth_totp module makes 2FA available to all users. A user can navigate to their My Profile → Account Security tab and set up an authenticator app. This is a crucial feature, but its effectiveness is severely limited by its opt-in nature. You can have 2FA available, but if nobody uses it, you have zero additional protection.

This creates a dangerous false sense of security. Your IT team and system administrators might be diligent about enabling 2FA on their own accounts, but what about the dozens or hundreds of other users? The accounting team with access to all financial data, the sales team with your entire customer list, or the HR department with sensitive employee information are often left protected by just a password.

Relying on "opt-in security" is like installing high-security locks on every door in your office but leaving it up to each employee to decide whether they want to lock their door when they leave. True security requires a policy that is enforced by default, not one that relies on individual user action.

Understanding the `auth_totp` Module

Before we enforce it, let's understand the tool. The auth_totp module, included in Odoo's core, implements the TOTP standard. Here’s how it works:

• Initial Setup: When a user enables 2FA, Odoo generates a unique secret key. This key is displayed as a QR code and in text format.
• Authenticator App: The user scans this QR code with an authenticator app on their phone (like Google Authenticator, Authy, or Microsoft Authenticator). The app stores the secret key securely.
• Code Generation: The app and the Odoo server both use the shared secret key and the current time to generate the same 6-digit code, which changes every 30 seconds.
• Login Verification: After entering their password, the user is prompted for the 6-digit code from their app. Odoo generates its own version of the code and verifies it matches the user's input.

This process ensures that even if an attacker steals a user's password, they cannot log in without physical access to the user's trusted device (their phone). The challenge, as we've established, is moving from this being an option to it being a requirement.

A Step-by-Step Guide to Enforcing 2FA for Internal Users

Enforcing 2FA for all internal users is the single most important step. You have two primary methods: using a pre-built community module or creating your own simple custom module.

Method 1: Using a Community Module

The Odoo community has already solved this problem. Modules like auth_totp_mandatory from the Odoo Community Association (OCA) are designed specifically for this purpose. These modules typically work by:

1. Adding a configuration setting (e.g., in General Settings or on user groups) to make 2FA mandatory.
2. Modifying the login process to check if a user in a mandatory group has 2FA enabled.
3. If 2FA is not enabled, the user is automatically redirected to the 2FA setup page after their first successful password login, preventing them from accessing any other part of the system until it's configured.

To use this method, you would typically find the module for your Odoo version, add it to your custom addons path, and install it like any other app.

Method 2: Creating a Basic Custom Enforcement Module

For more control or to avoid external dependencies, you can create a simple module to enforce this policy. This involves inheriting from the web login controller and adding a check. Here is a simplified example of what the Python code might look like:

# In your_module/controllers/main.py
from odoo import http
from odoo.http import request
from odoo.addons.web.controllers.main import Home

class Enforce2FA(Home):
 @http.route('/web/login', type='http', auth="none", sitemap=False)
 def web_login(self, redirect=None, **kw):
 # Standard login process
 response = super(Enforce2FA, self).web_login(redirect, **kw)

 # After a successful login, check the user's state
 if request.session.uid:
 user = request.env['res.users'].browse(request.session.uid)

 # We only enforce for internal users, not portal or public
 is_internal_user = user.has_group('base.group_user')

 # If user is internal and has not enabled TOTP, redirect them
 if is_internal_user and not user.totp_enabled:
 # Redirect to the user's security settings page
 # The hash part directs the web client to the right menu
 return http.redirect_with_hash('/web#action=base.action_security_settings')

 return response

This code snippet overrides the standard login route. After a user authenticates successfully with their password, it checks if they are an internal user and if they have 2FA enabled. If not, it hijacks the process and redirects them to their security settings, effectively forcing them to set up 2FA before they can proceed.

Securing the Forgotten Entrypoints: APIs

Enforcing 2FA on the web interface is a great first step, but it's incomplete. Odoo's external APIs (XML-RPC and JSON-RPC) do not use the interactive 2FA flow. An attacker with a stolen password can completely bypass your web-based 2FA protection and access, modify, or exfiltrate data programmatically.

Securing API access requires a different approach. The most common and effective method is IP address whitelisting.

You can implement whitelisting at the reverse proxy level (e.g., Nginx, Apache). This ensures that only trusted IP addresses, such as your office network or the servers of integrated third-party applications, can even reach the API endpoints. Here’s a sample Nginx configuration to achieve this:

# In your server block for your Odoo instance
location /xmlrpc/ {
 # Allow access only from trusted IP addresses
 allow 198.51.100.5; # Example: A specific service's IP
 allow 203.0.113.0/24; # Example: Your office IP range
 deny all; # Block all other IPs

 # Standard proxy settings
 proxy_pass http://127.0.0.1:8069;
 proxy_set_header Host $host;
 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 proxy_set_header X-Real-IP $remote_addr;
}

This configuration block tells Nginx to inspect all requests to /xmlrpc/. If the request's source IP does not match one of the allow directives, it is immediately rejected with a 403 Forbidden error, never even reaching Odoo. For modern integrations, consider using Odoo's API Keys feature, which allows you to create revocable, user-specific keys instead of using passwords.

What About Portal Users? A Balanced Approach

Portal users (customers, vendors, partners) represent another user category with a separate authentication flow. Enforcing 2FA on portal users introduces friction, which could be detrimental to user experience. Therefore, the decision should be based on the sensitivity of the data accessible through the portal.

Consider enforcing 2FA for your portal if it exposes:

• Financial Information: Invoices, credit notes, payment history, or saved payment methods.
• Sensitive Documents: Signed contracts, project files, or support tickets containing personal data.
• Order History: Detailed purchase history that could reveal business intelligence.

If your portal is purely informational, mandatory 2FA may be overkill. Implementing this often requires custom development, as off-the-shelf modules are less common than for internal users. The logic would be similar to the internal user enforcement: override the portal login controller and redirect users without 2FA to a setup page.

Watch Out For: Common 2FA Implementation Mistakes

Rolling out 2FA is more than just flipping a switch. Avoiding these common mistakes is critical for a successful and secure implementation.

1. Incomplete Rollout: Don't just enforce 2FA for administrators. Any user with access to sensitive data—be it in accounting, sales, or HR—is a valuable target. A single compromised account is all an attacker needs. Define your policy based on data access, not just user title.
2. The Recovery Code Blind Spot: When a user sets up 2FA, Odoo provides a set of one-time-use recovery codes. Users often ignore or lose these. Without them, losing their phone means they are completely locked out. You must have a clear internal process: instruct users to save these codes in a secure location (like a password manager) and establish a support workflow for administrators to help locked-out users.
3. Ignoring Shared Devices: What about devices that aren't tied to a single person, like a warehouse scanning terminal, a point-of-sale system, or a factory floor kiosk? These scenarios are incompatible with app-based 2FA. The solution is to create dedicated Odoo users for these devices, explicitly exclude them from the mandatory 2FA policy, and secure them with other controls like strict network-level IP restrictions.
4. Lack of User Training: Don't surprise your users. Before you enforce the policy, communicate what 2FA is, why it's being implemented, and provide a simple, step-by-step guide on how to set it up. A small amount of proactive training can prevent a deluge of support tickets and user frustration.