<a class="reference external image-reference" href="https://www.gnu.org/licenses/agpl.html"><img alt="License: LGPL-3" src="https://img.shields.io/badge/license-AGPL--3-blue.png" /></a> <a name="mfa-support-via-totp"></a> <h2>MFA Support via TOTP</h2> <p>This module adds support for MFA using TOTP (time-based, one-time passwords) for the specific use case where :</p> <ul class="simple"> <li>Users usually connect from a list of known IPs (e.g. their company IPs), and should be able to do so without MFA.</li> <li>Selected users can connect from other IPs (e.g. roaming users), and MFA must be active for them.</li> <li>Other users are not allowed to connect from other IPs and should be simply blocked</li> </ul> <p>This module is based on OCA's <cite>auth_totp</cite> module.</p> <a name="installation"></a> <h3>Installation</h3> <ol class="arabic simple"> <li>Install the PyOTP library using pip: <code>pip install pyotp</code></li> <li>Follow the standard module install process</li> </ol> <a name="configuration"></a> <h3>Configuration</h3> <p>By default, the trusted device cookies introduced by this module have a <code>Secure</code> flag. This decreases the likelihood of cookie theft via eavesdropping but may result in cookies not being set by certain browsers unless your Odoo instance uses HTTPS. If necessary, you can disable this flag by going to <code>Settings &gt; Parameters &gt; System Parameters</code> and changing the <code>auth_totp.secure_cookie</code> key to <code>0</code>.</p> <a name="usage"></a> <h3>Usage</h3> <p>If necessary, a user's trusted devices can be revoked by disabling and re-enabling MFA for that user.</p>