How do I disable 2FA in Odoo if I am locked out?

Connect to PostgreSQL and run: UPDATE res_users SET totp_secret = NULL, totp_enabled = FALSE WHERE login = 'admin'; Then restart Odoo and log in with just your password. Re-enable 2FA with your current authenticator app.

Why does my Odoo TOTP code say 'Verification failed'?

Common causes: wrong time on your server or phone (TOTP is time-based), wrong authenticator entry (multiple Odoo instances), or the TOTP secret was reset without updating your authenticator app. Check system time sync first.

Can I recover Odoo 2FA without database access?

If another admin is not locked out, they can disable your 2FA from Settings. If you have server access, use the Odoo shell command. If you have a trusted device session still active, use that browser. Otherwise, database access is required.

How do I prevent Odoo 2FA lockout in the future?

Use an authenticator app with cloud sync (Authy or Microsoft Authenticator), save backup codes when enabling 2FA, scan the QR code with two devices, and keep one emergency admin account without 2FA but with a strong password.

Fix Odoo 2FA Lockout: Regain Access When TOTP Fails (2026)

The 2FA Lockout Problem

Two-factor authentication protects your Odoo account, but when you lose access to your authenticator app, get a new phone, or the TOTP codes stop working, you are completely locked out. The login page asks for a verification code you cannot provide, and there is no "forgot 2FA" link.

What You See

# After entering correct username and password:
"Verification Code"
"Enter the code from your authenticator app"
[______] [Verify]

# You enter a code and get:
"Verification failed, please try again."
# Or the code field appears but your authenticator app
# shows codes for a different account

Why TOTP Codes Stop Working

1. Phone Lost or Factory Reset

The TOTP secret is stored in the authenticator app on your device. If you lose the phone or reset it, the secret is gone.

2. Time Drift

TOTP codes are time-based. If your server clock or phone clock is significantly wrong (more than 30 seconds), codes will not match.

# Check server time
date
# Check NTP sync
timedatectl status
# If time is wrong:
sudo timedatectl set-ntp true
sudo systemctl restart systemd-timesyncd

3. Wrong Authenticator Entry

You may have scanned the QR code for a different Odoo instance or the entry was duplicated in your authenticator app. Check if you have multiple entries and try each one.

Fix 1: Admin Disables 2FA for the User

If another admin account still has access:

Log in as admin
Go to Settings → Users & Companies → Users
Find the locked-out user
Click the user record
In the Account Security section, click "Disable Two-Factor Authentication"
Tell the user to log in and re-enable 2FA with their new device

Fix 2: Disable 2FA via Database (All Admins Locked Out)

If all admin accounts are locked out, you need direct database access.

# Connect to PostgreSQL
psql -U odoo -d your_database

# Find the locked-out user
SELECT id, login, totp_enabled FROM res_users WHERE login = 'admin';

# Disable 2FA for that user
UPDATE res_users SET totp_secret = NULL, totp_enabled = FALSE WHERE login = 'admin';

# Or disable for ALL users (emergency)
UPDATE res_users SET totp_secret = NULL, totp_enabled = FALSE;

# Restart Odoo after database changes
sudo systemctl restart odoo

After disabling 2FA via the database, log in with just username and password. Then re-enable 2FA with your current authenticator app.

Fix 3: Disable 2FA via Odoo Shell

If you have server access but not database access:

# Start Odoo shell
./odoo-bin shell -d your_database

# In the shell:
user = env['res.users'].sudo().search([('login', '=', 'admin')])
user.totp_secret = False
user.totp_enabled = False
env.cr.commit()
print(f'2FA disabled for {user.login}')
exit()

Fix 4: Use Trusted Device Tokens

If you previously marked a device as trusted, that device can bypass 2FA. Check if you have an active session on another browser or computer where you are still logged in. From there, you can access your account and reset 2FA.

Fix 5: Restore TOTP From Backup Codes

Some authenticator apps (Google Authenticator, Authy, Microsoft Authenticator) support cloud backup. If you enabled backup in your authenticator app, you can restore your codes on a new device:

Google Authenticator: Sign in with your Google account to restore
Authy: Install on new device, enter phone number, codes sync automatically
Microsoft Authenticator: Restore from iCloud/Google backup

Preventing Future Lockouts

1. Use an Authenticator With Cloud Sync

Authy or Microsoft Authenticator sync codes across devices. If you lose one device, codes are available on another.

2. Save Backup Codes

When enabling 2FA, Odoo shows backup/recovery codes. Save these in a password manager or secure location.

3. Register Multiple Devices

Scan the QR code with two authenticator apps on different devices. Both will generate valid codes.

4. Keep an Admin Account Without 2FA

For emergency access, keep one admin account without 2FA enabled but with a very strong password. Restrict this account to internal network access only.

5. Document the Recovery Process

Write down the database access method for your team so anyone with server access can disable 2FA in emergencies.

Security Considerations

Disabling 2FA via the database bypasses all Odoo security. After recovering access:

Re-enable 2FA immediately
Change your password
Check the audit log for unauthorized access during the lockout period
Review active sessions and revoke any suspicious ones

Fix Odoo Two-Factor Authentication Lockout: Regain Access When 2FA Fails