Two-factor authentication (2FA) is one of the most effective controls against account takeover. Odoo has built-in TOTP (Time-based One-Time Password) support since version 14 — no third-party module required. Here's how to enable and enforce it across your organization.
How Odoo 2FA Works
Odoo uses the TOTP standard (RFC 6238), the same algorithm used by Google Authenticator, Authy, Microsoft Authenticator, and password managers like 1Password and Bitwarden. When 2FA is enabled:
- The user enters their email and password as usual
- Odoo prompts for a 6-digit code from their authenticator app
- The code is valid for 30 seconds and cannot be reused
There are no SMS codes or email OTPs — only authenticator apps, which are significantly more secure.
Step 1: Enable 2FA at the System Level
Go to Settings > General Settings and scroll to the Permissions or Security section. You'll find the Two-Factor Authentication setting with three options:
- Optional — Users can set up 2FA voluntarily. This is the default.
- Required for administrators — Users with admin or manager roles must use 2FA.
- Required for all users — Every user must set up 2FA on next login.
Select your policy and click Save.
Recommended for production: Set to Required for all users. This prevents any account from being accessed with only a password.
Step 2: User Setup — Enabling 2FA on an Account
Each user must set up their own authenticator. There are two paths:
Self-service (user sets up their own)
- Click the user avatar in the top-right corner
- Select My Profile
- Click the Account Security tab
- Click Enable two-factor authentication
- Enter your current password to confirm identity
- A QR code appears — scan it with your authenticator app
- Enter the 6-digit code from the app to confirm setup
Administrator setup for another user
As an administrator, go to Settings > Users & Companies > Users, open the user record, and click the Account Security tab. You can see whether 2FA is enabled and revoke it if needed (e.g., if the user loses their authenticator device).
Step 3: Scanning the QR Code
Open your authenticator app and scan the QR code shown on the Odoo 2FA setup screen. Compatible apps include:
- Google Authenticator (iOS / Android) — simple, widely supported
- Authy (iOS / Android / Desktop) — supports encrypted cloud backup of tokens, best for recovery
- Microsoft Authenticator (iOS / Android) — good for organizations using Microsoft 365
- 1Password or Bitwarden — TOTP built into your password manager
- Aegis (Android only) — open source, highly recommended for Android users
After scanning, the app shows a 6-digit code that changes every 30 seconds. Enter the current code in Odoo to complete setup.
Step 4: Recovery — What to Do if a User Loses Their Authenticator
If a user loses their phone or uninstalls their authenticator app without backing up tokens, they are locked out. The administrator must revoke their 2FA to restore access:
- Go to Settings > Users & Companies > Users
- Open the locked-out user's record
- Click the Account Security tab
- Click Revoke two-factor authentication
- Confirm the action
The user can now log in with only their password and will be prompted to set up 2FA again.
Step 5: Enforce 2FA at Login
When 2FA is set to Required for all users, Odoo redirects users without 2FA configured to the setup screen on their next login. They cannot access any Odoo functionality until they complete setup.
This enforcement is automatic — you don't need to manually block access for individual users.
Trusted Devices
After successful 2FA authentication, Odoo offers a "Remember this device" option. If checked, the browser is trusted for 90 days — the user won't be prompted for a 2FA code from that browser/device during that period. The trust is stored in a browser cookie.
For high-security environments, you may want to disable this feature. It's controlled by the session security settings in recent Odoo versions.
2FA for API Access
TOTP 2FA applies to the web interface login flow only. API key authentication (used by integrations) is not subject to the 2FA prompt. Ensure API keys are treated with the same sensitivity as passwords — rotate them regularly and revoke unused keys in Settings > Technical > API Keys.
How DeployMonkey Protects Your Odoo Instance
DeployMonkey recommends enabling 2FA for all users on your managed instance — especially the administrator account. Combined with Odoo security best practices and our platform-level infrastructure security, your instance is protected at both the application and infrastructure layers. Start your secure Odoo instance free.
Frequently Asked Questions
Which Odoo versions support built-in 2FA?
Odoo's built-in TOTP 2FA was introduced in version 14. It is available in all versions from 14 through 19. Odoo 13 and earlier require a third-party module for 2FA support.
Can I enforce 2FA only for specific user groups?
The built-in setting offers system-wide enforcement or administrator-only enforcement, not per-group configuration. For granular group-based enforcement, you need a custom module or a third-party access control module.
What happens when a user's authenticator app generates the wrong code?
TOTP codes are time-based, so clock drift on the user's phone can cause code mismatches. Most authenticator apps sync automatically. If a user consistently gets wrong codes, verify their phone's time is set to automatic/network time. Odoo allows a 1-window tolerance (±30 seconds) to accommodate minor clock drift.
Is there a way to bypass 2FA in an emergency?
An Odoo administrator can revoke 2FA for any user (Steps 4 above). For the administrator account itself, if you are locked out of the Odoo web interface, you can reset 2FA directly in the database: connect to PostgreSQL and delete the user's TOTP secret from the res.users.authenticator table.
Does 2FA protect the Odoo database manager?
No. The database manager (/web/database/manager) uses only the master password — it has no 2FA support. This is another reason to disable the database manager in production with list_db = False. See Odoo security best practices for the full hardening checklist.