auth_totp/README.rst from OCA/server-tools

auth_totp/README.rst
Summary

Maintainability

Test Coverage

Issues
.. image:: https://img.shields.io/badge/license-LGPL--3-blue.svg
   :target: http://www.gnu.org/licenses/lgpl.html
   :alt: License: LGPL-3

====================
MFA Support via TOTP
====================

This module adds support for MFA using TOTP (time-based, one-time passwords). 
It allows users to enable/disable MFA and manage authentication apps/devices 
via the "Change My Preferences" view and an associated wizard. 

After logging in normally, users with MFA enabled are taken to a second screen 
where they have to enter a password generated by one of their authentication 
apps and are presented with the option to remember the current device. This 
creates a secure, HTTP-only cookie that allows subsequent logins to bypass the 
MFA step.

Installation
============

1. Install the PyOTP library using pip: ``pip install pyotp``
2. Follow the standard module install process

Configuration
=============

By default, the trusted device cookies introduced by this module have a 
``Secure`` flag and can only be sent via HTTPS. You can disable this by going 
to ``Settings > Parameters > System Parameters`` and changing the 
``auth_totp.secure_cookie`` key to ``0``, but this is not recommended in 
production as it increases the likelihood of cookie theft via eavesdropping.

Usage
=====

Install and enjoy.

.. image:: https://odoo-community.org/website/image/ir.attachment/5784_f2813bd/datas
   :alt: Try me on Runbot
   :target: https://runbot.odoo-community.org/runbot/149/8.0

Known Issues / Roadmap
======================

Known Issues
------------

* The module does not uninstall cleanly due to an Odoo bug, leaving the 
  ``res.users.authenticator`` and ``res.users.device`` models partially in 
  place. This may be addressed at a later time via an Odoo fix or by adding 
  custom uninstall logic via an uninstall hook.

Roadmap
-------

* Make the various durations associated with the module configurable. They are 
  currently hard-coded as follows:
  
  * 15 minutes to enter an MFA confirmation code after a password log in
  * 30 days before the MFA session expires and the user has to log in again
  * 30 days before the trusted device cookie expires

* Add logic to extend an MFA user's session each time it's validated, 
  effectively keeping it alive indefinitely as long as the user remains active
* Add device fingerprinting to the trusted device cookie and provide a way to 
  revoke trusted devices
* Add company-level settings for forcing all users to enable MFA and disabling 
  the trusted device option

Bug Tracker
===========

Bugs are tracked on `GitHub Issues 
<https://github.com/OCA/server-tools/issues>`_. In case of trouble, please 
check there if your issue has already been reported. If you spotted it first, 
help us smash it by providing detailed and welcomed feedback.

Credits
=======

Images
------

* Odoo Community Association: `Icon <https://github.com/OCA/maintainer-tools/blob/master/template/module/static/description/icon.svg>`_.

Contributors
------------

* Oleg Bulkin <obulkin@laslabs.com>
* Michael Viriyananda <viriyananda.michael@gmail.com>

Maintainer
----------

.. image:: https://odoo-community.org/logo.png
   :alt: Odoo Community Association
   :target: https://odoo-community.org

This module is maintained by the OCA.

OCA, or the Odoo Community Association, is a nonprofit organization whose
mission is to support the collaborative development of Odoo features and
promote its widespread use.

To contribute to this module, please visit https://odoo-community.org.