2020-11-27 15:47:59 +07:00
|
|
|
=========================
|
|
|
|
|
Two-factor Authentication
|
|
|
|
|
=========================
|
|
|
|
|
|
|
|
|
|
Two-factor authentication ("2FA") is a good way to improve the
|
|
|
|
|
security of an account, to make it less likely that an other person
|
|
|
|
|
will manage to log in instead of you.
|
|
|
|
|
|
|
|
|
|
Practically, it means storing a secret inside an *authenticator*
|
|
|
|
|
(usually your cell phone) and exchanging a code from the authenticator
|
|
|
|
|
when you try to log in.
|
|
|
|
|
|
|
|
|
|
This means an attacker needs *both* to have guessed (or found) your
|
|
|
|
|
password and to access (or steal) your authenticator, a more difficult
|
|
|
|
|
proposition than either one or the other.
|
|
|
|
|
|
|
|
|
|
Requirements
|
|
|
|
|
============
|
|
|
|
|
|
|
|
|
|
.. note:: These lists are just examples, they are not endorsements of
|
|
|
|
|
any specific software.
|
|
|
|
|
|
|
|
|
|
If you don't already have one, you will need to choose an
|
|
|
|
|
authenticator.
|
|
|
|
|
|
|
|
|
|
Phone-based authenticators are the easiest and most common so we will
|
|
|
|
|
assume you'll pick and install one on your phone, examples include
|
|
|
|
|
`Authy <https://authy.com/>`_, `FreeOTP
|
|
|
|
|
<https://freeotp.github.io/>`_, `Google Authenticator
|
|
|
|
|
<https://support.google.com/accounts/answer/1066447?hl=en>`_,
|
|
|
|
|
`LastPass Authenticator <https://lastpass.com/auth/>`_, `Microsoft
|
|
|
|
|
Authenticator
|
|
|
|
|
<https://www.microsoft.com/en-gb/account/authenticator?cmp=h66ftb_42hbak>`_,
|
|
|
|
|
...; password managers also commonly include :abbr:`2FA (two-factor
|
|
|
|
|
authentication)` support e.g. `1Password
|
|
|
|
|
<https://support.1password.com/one-time-passwords/>`_, `Bitwarden
|
|
|
|
|
<https://bitwarden.com/help/article/authenticator-keys/>`_, ...
|
|
|
|
|
|
|
|
|
|
For the sake of demonstration we will be using Google Authenticator
|
|
|
|
|
(not because it is any good but because it is quite common).
|
|
|
|
|
|
|
|
|
|
Setting up two-factor authentication
|
|
|
|
|
====================================
|
|
|
|
|
|
|
|
|
|
Once you have your authenticator of choice, go to the Odoo instance
|
|
|
|
|
you want to setup :abbr:`2FA (two-factor authentication)`, then open
|
|
|
|
|
:guilabel:`Preferences` (or :guilabel:`My Profile`):
|
|
|
|
|
|
[MOV] content/*: move resource files into their related page's directory
Since odoo/documentation#903, the guideline for the location of new
resource (images, downloadable files, RST includes...) files is to place
those inside the directory of the RST page that references them.
For example, if `doc1.rst` has a reference to `image.png` and to
`download.zip`, the file structure should look like this:
├── parent_doc/
│ └── doc1/
│ │ └── image.png
│ │ └── download.zip
│ └── doc1.rst
│ └── doc2.rst
├── parent_doc.rst
Before this commit, most of the resource files were still located inside
'media' directories holding all the resource files referenced by RST
pages located at the same level as these directories. In the example
above, a single 'media' directory would hold all the resource files
referenced by both `doc1.rst` and `doc2.rst`. Doing so prevented us from
figuring out easily which resource file was referenced by which RST page
and, thus, lead to unused resource files piling up in the repository. It
also made it more complicated to define codeowners regex rules because a
team could not simply be assigned to `/some_page.*` but needed to be
assigned to both `/some_page\.rst` and to the location of 'media'.
In order to help new content writers figure out the guideline when
taking examples from other RST pages, this commit retroactively applies
the guideline to existing resource files and 'media' directories. The
left-over resource files that are not referenced by any RST page are
removed.
task-2497965
Part-of: odoo/documentation#2068
2022-05-20 16:54:32 +07:00
|
|
|
.. figure:: 2fa/preferences.png
|
2020-11-27 15:47:59 +07:00
|
|
|
:align: center
|
|
|
|
|
|
|
|
|
|
Open the :guilabel:`Account Security` tab, then click the
|
|
|
|
|
:guilabel:`Enable two-factor authentication` button:
|
|
|
|
|
|
[MOV] content/*: move resource files into their related page's directory
Since odoo/documentation#903, the guideline for the location of new
resource (images, downloadable files, RST includes...) files is to place
those inside the directory of the RST page that references them.
For example, if `doc1.rst` has a reference to `image.png` and to
`download.zip`, the file structure should look like this:
├── parent_doc/
│ └── doc1/
│ │ └── image.png
│ │ └── download.zip
│ └── doc1.rst
│ └── doc2.rst
├── parent_doc.rst
Before this commit, most of the resource files were still located inside
'media' directories holding all the resource files referenced by RST
pages located at the same level as these directories. In the example
above, a single 'media' directory would hold all the resource files
referenced by both `doc1.rst` and `doc2.rst`. Doing so prevented us from
figuring out easily which resource file was referenced by which RST page
and, thus, lead to unused resource files piling up in the repository. It
also made it more complicated to define codeowners regex rules because a
team could not simply be assigned to `/some_page.*` but needed to be
assigned to both `/some_page\.rst` and to the location of 'media'.
In order to help new content writers figure out the guideline when
taking examples from other RST pages, this commit retroactively applies
the guideline to existing resource files and 'media' directories. The
left-over resource files that are not referenced by any RST page are
removed.
task-2497965
Part-of: odoo/documentation#2068
2022-05-20 16:54:32 +07:00
|
|
|
.. figure:: 2fa/sec_tab.png
|
2020-11-27 15:47:59 +07:00
|
|
|
:align: center
|
|
|
|
|
|
|
|
|
|
Because this is a security-sensitive action, you will need to input
|
|
|
|
|
your password:
|
|
|
|
|
|
[MOV] content/*: move resource files into their related page's directory
Since odoo/documentation#903, the guideline for the location of new
resource (images, downloadable files, RST includes...) files is to place
those inside the directory of the RST page that references them.
For example, if `doc1.rst` has a reference to `image.png` and to
`download.zip`, the file structure should look like this:
├── parent_doc/
│ └── doc1/
│ │ └── image.png
│ │ └── download.zip
│ └── doc1.rst
│ └── doc2.rst
├── parent_doc.rst
Before this commit, most of the resource files were still located inside
'media' directories holding all the resource files referenced by RST
pages located at the same level as these directories. In the example
above, a single 'media' directory would hold all the resource files
referenced by both `doc1.rst` and `doc2.rst`. Doing so prevented us from
figuring out easily which resource file was referenced by which RST page
and, thus, lead to unused resource files piling up in the repository. It
also made it more complicated to define codeowners regex rules because a
team could not simply be assigned to `/some_page.*` but needed to be
assigned to both `/some_page\.rst` and to the location of 'media'.
In order to help new content writers figure out the guideline when
taking examples from other RST pages, this commit retroactively applies
the guideline to existing resource files and 'media' directories. The
left-over resource files that are not referenced by any RST page are
removed.
task-2497965
Part-of: odoo/documentation#2068
2022-05-20 16:54:32 +07:00
|
|
|
.. figure:: 2fa/sec_enhanced.png
|
2020-11-27 15:47:59 +07:00
|
|
|
:align: center
|
|
|
|
|
|
|
|
|
|
After which you will see this screen with a barcode:
|
|
|
|
|
|
[MOV] content/*: move resource files into their related page's directory
Since odoo/documentation#903, the guideline for the location of new
resource (images, downloadable files, RST includes...) files is to place
those inside the directory of the RST page that references them.
For example, if `doc1.rst` has a reference to `image.png` and to
`download.zip`, the file structure should look like this:
├── parent_doc/
│ └── doc1/
│ │ └── image.png
│ │ └── download.zip
│ └── doc1.rst
│ └── doc2.rst
├── parent_doc.rst
Before this commit, most of the resource files were still located inside
'media' directories holding all the resource files referenced by RST
pages located at the same level as these directories. In the example
above, a single 'media' directory would hold all the resource files
referenced by both `doc1.rst` and `doc2.rst`. Doing so prevented us from
figuring out easily which resource file was referenced by which RST page
and, thus, lead to unused resource files piling up in the repository. It
also made it more complicated to define codeowners regex rules because a
team could not simply be assigned to `/some_page.*` but needed to be
assigned to both `/some_page\.rst` and to the location of 'media'.
In order to help new content writers figure out the guideline when
taking examples from other RST pages, this commit retroactively applies
the guideline to existing resource files and 'media' directories. The
left-over resource files that are not referenced by any RST page are
removed.
task-2497965
Part-of: odoo/documentation#2068
2022-05-20 16:54:32 +07:00
|
|
|
.. figure:: 2fa/totp_scan.png
|
2020-11-27 15:47:59 +07:00
|
|
|
:align: center
|
|
|
|
|
|
|
|
|
|
In most applications, you can simply *scan the barcode* via the
|
|
|
|
|
authenticator of your choice, the authenticator will then take care of
|
|
|
|
|
all the setup:
|
|
|
|
|
|
[MOV] content/*: move resource files into their related page's directory
Since odoo/documentation#903, the guideline for the location of new
resource (images, downloadable files, RST includes...) files is to place
those inside the directory of the RST page that references them.
For example, if `doc1.rst` has a reference to `image.png` and to
`download.zip`, the file structure should look like this:
├── parent_doc/
│ └── doc1/
│ │ └── image.png
│ │ └── download.zip
│ └── doc1.rst
│ └── doc2.rst
├── parent_doc.rst
Before this commit, most of the resource files were still located inside
'media' directories holding all the resource files referenced by RST
pages located at the same level as these directories. In the example
above, a single 'media' directory would hold all the resource files
referenced by both `doc1.rst` and `doc2.rst`. Doing so prevented us from
figuring out easily which resource file was referenced by which RST page
and, thus, lead to unused resource files piling up in the repository. It
also made it more complicated to define codeowners regex rules because a
team could not simply be assigned to `/some_page.*` but needed to be
assigned to both `/some_page\.rst` and to the location of 'media'.
In order to help new content writers figure out the guideline when
taking examples from other RST pages, this commit retroactively applies
the guideline to existing resource files and 'media' directories. The
left-over resource files that are not referenced by any RST page are
removed.
task-2497965
Part-of: odoo/documentation#2068
2022-05-20 16:54:32 +07:00
|
|
|
.. figure:: 2fa/scan_barcode.jpg
|
2020-11-27 15:47:59 +07:00
|
|
|
:align: center
|
|
|
|
|
|
|
|
|
|
.. note::
|
|
|
|
|
|
|
|
|
|
If you can not scan the screen (e.g. because you are doing this
|
|
|
|
|
set-up on the same phone as the authenticator application), you can
|
|
|
|
|
click the provided link, or copy the secret to manually set-up your
|
|
|
|
|
authenticator:
|
|
|
|
|
|
[MOV] content/*: move resource files into their related page's directory
Since odoo/documentation#903, the guideline for the location of new
resource (images, downloadable files, RST includes...) files is to place
those inside the directory of the RST page that references them.
For example, if `doc1.rst` has a reference to `image.png` and to
`download.zip`, the file structure should look like this:
├── parent_doc/
│ └── doc1/
│ │ └── image.png
│ │ └── download.zip
│ └── doc1.rst
│ └── doc2.rst
├── parent_doc.rst
Before this commit, most of the resource files were still located inside
'media' directories holding all the resource files referenced by RST
pages located at the same level as these directories. In the example
above, a single 'media' directory would hold all the resource files
referenced by both `doc1.rst` and `doc2.rst`. Doing so prevented us from
figuring out easily which resource file was referenced by which RST page
and, thus, lead to unused resource files piling up in the repository. It
also made it more complicated to define codeowners regex rules because a
team could not simply be assigned to `/some_page.*` but needed to be
assigned to both `/some_page\.rst` and to the location of 'media'.
In order to help new content writers figure out the guideline when
taking examples from other RST pages, this commit retroactively applies
the guideline to existing resource files and 'media' directories. The
left-over resource files that are not referenced by any RST page are
removed.
task-2497965
Part-of: odoo/documentation#2068
2022-05-20 16:54:32 +07:00
|
|
|
.. figure:: 2fa/secret_visible.png
|
2020-11-27 15:47:59 +07:00
|
|
|
:align: center
|
|
|
|
|
|
[MOV] content/*: move resource files into their related page's directory
Since odoo/documentation#903, the guideline for the location of new
resource (images, downloadable files, RST includes...) files is to place
those inside the directory of the RST page that references them.
For example, if `doc1.rst` has a reference to `image.png` and to
`download.zip`, the file structure should look like this:
├── parent_doc/
│ └── doc1/
│ │ └── image.png
│ │ └── download.zip
│ └── doc1.rst
│ └── doc2.rst
├── parent_doc.rst
Before this commit, most of the resource files were still located inside
'media' directories holding all the resource files referenced by RST
pages located at the same level as these directories. In the example
above, a single 'media' directory would hold all the resource files
referenced by both `doc1.rst` and `doc2.rst`. Doing so prevented us from
figuring out easily which resource file was referenced by which RST page
and, thus, lead to unused resource files piling up in the repository. It
also made it more complicated to define codeowners regex rules because a
team could not simply be assigned to `/some_page.*` but needed to be
assigned to both `/some_page\.rst` and to the location of 'media'.
In order to help new content writers figure out the guideline when
taking examples from other RST pages, this commit retroactively applies
the guideline to existing resource files and 'media' directories. The
left-over resource files that are not referenced by any RST page are
removed.
task-2497965
Part-of: odoo/documentation#2068
2022-05-20 16:54:32 +07:00
|
|
|
.. figure:: 2fa/input_secret.png
|
2020-11-27 15:47:59 +07:00
|
|
|
:align: center
|
|
|
|
|
|
|
|
|
|
Once this is done, the authenticator should display a *verification
|
|
|
|
|
code* with some useful identifying information (e.g. the domain and
|
|
|
|
|
login for which the code is):
|
|
|
|
|
|
[MOV] content/*: move resource files into their related page's directory
Since odoo/documentation#903, the guideline for the location of new
resource (images, downloadable files, RST includes...) files is to place
those inside the directory of the RST page that references them.
For example, if `doc1.rst` has a reference to `image.png` and to
`download.zip`, the file structure should look like this:
├── parent_doc/
│ └── doc1/
│ │ └── image.png
│ │ └── download.zip
│ └── doc1.rst
│ └── doc2.rst
├── parent_doc.rst
Before this commit, most of the resource files were still located inside
'media' directories holding all the resource files referenced by RST
pages located at the same level as these directories. In the example
above, a single 'media' directory would hold all the resource files
referenced by both `doc1.rst` and `doc2.rst`. Doing so prevented us from
figuring out easily which resource file was referenced by which RST page
and, thus, lead to unused resource files piling up in the repository. It
also made it more complicated to define codeowners regex rules because a
team could not simply be assigned to `/some_page.*` but needed to be
assigned to both `/some_page\.rst` and to the location of 'media'.
In order to help new content writers figure out the guideline when
taking examples from other RST pages, this commit retroactively applies
the guideline to existing resource files and 'media' directories. The
left-over resource files that are not referenced by any RST page are
removed.
task-2497965
Part-of: odoo/documentation#2068
2022-05-20 16:54:32 +07:00
|
|
|
.. figure:: 2fa/authenticator.png
|
2020-11-27 15:47:59 +07:00
|
|
|
:align: center
|
|
|
|
|
|
|
|
|
|
You can now input the code into the :guilabel:`Verification Code`
|
|
|
|
|
field, then click the :guilabel:`Enable two-factor authentication`
|
|
|
|
|
button.
|
|
|
|
|
|
|
|
|
|
Congratulation, your account is now protected by two-factor
|
|
|
|
|
authentication!
|
|
|
|
|
|
[MOV] content/*: move resource files into their related page's directory
Since odoo/documentation#903, the guideline for the location of new
resource (images, downloadable files, RST includes...) files is to place
those inside the directory of the RST page that references them.
For example, if `doc1.rst` has a reference to `image.png` and to
`download.zip`, the file structure should look like this:
├── parent_doc/
│ └── doc1/
│ │ └── image.png
│ │ └── download.zip
│ └── doc1.rst
│ └── doc2.rst
├── parent_doc.rst
Before this commit, most of the resource files were still located inside
'media' directories holding all the resource files referenced by RST
pages located at the same level as these directories. In the example
above, a single 'media' directory would hold all the resource files
referenced by both `doc1.rst` and `doc2.rst`. Doing so prevented us from
figuring out easily which resource file was referenced by which RST page
and, thus, lead to unused resource files piling up in the repository. It
also made it more complicated to define codeowners regex rules because a
team could not simply be assigned to `/some_page.*` but needed to be
assigned to both `/some_page\.rst` and to the location of 'media'.
In order to help new content writers figure out the guideline when
taking examples from other RST pages, this commit retroactively applies
the guideline to existing resource files and 'media' directories. The
left-over resource files that are not referenced by any RST page are
removed.
task-2497965
Part-of: odoo/documentation#2068
2022-05-20 16:54:32 +07:00
|
|
|
.. figure:: 2fa/totp_enabled.png
|
2020-11-27 15:47:59 +07:00
|
|
|
:align: center
|
|
|
|
|
|
|
|
|
|
Logging in
|
|
|
|
|
==========
|
|
|
|
|
|
|
|
|
|
You should now :guilabel:`Log out` to follow along.
|
|
|
|
|
|
|
|
|
|
On the login page, input the username and password of the account for
|
|
|
|
|
which you set up :abbr:`2FA (two-factor authentication)`, rather than
|
|
|
|
|
immediately enter Odoo you will now get a second log-in screen:
|
|
|
|
|
|
[MOV] content/*: move resource files into their related page's directory
Since odoo/documentation#903, the guideline for the location of new
resource (images, downloadable files, RST includes...) files is to place
those inside the directory of the RST page that references them.
For example, if `doc1.rst` has a reference to `image.png` and to
`download.zip`, the file structure should look like this:
├── parent_doc/
│ └── doc1/
│ │ └── image.png
│ │ └── download.zip
│ └── doc1.rst
│ └── doc2.rst
├── parent_doc.rst
Before this commit, most of the resource files were still located inside
'media' directories holding all the resource files referenced by RST
pages located at the same level as these directories. In the example
above, a single 'media' directory would hold all the resource files
referenced by both `doc1.rst` and `doc2.rst`. Doing so prevented us from
figuring out easily which resource file was referenced by which RST page
and, thus, lead to unused resource files piling up in the repository. It
also made it more complicated to define codeowners regex rules because a
team could not simply be assigned to `/some_page.*` but needed to be
assigned to both `/some_page\.rst` and to the location of 'media'.
In order to help new content writers figure out the guideline when
taking examples from other RST pages, this commit retroactively applies
the guideline to existing resource files and 'media' directories. The
left-over resource files that are not referenced by any RST page are
removed.
task-2497965
Part-of: odoo/documentation#2068
2022-05-20 16:54:32 +07:00
|
|
|
.. figure:: 2fa/2fa_input.png
|
2020-11-27 15:47:59 +07:00
|
|
|
:align: center
|
|
|
|
|
|
|
|
|
|
Get your authenticator, input the code it provides for the domain and
|
|
|
|
|
account, validate, and you're now in.
|
|
|
|
|
|
|
|
|
|
And that's it. From now on, unless you disable :abbr:`2FA (two-factor
|
|
|
|
|
authentication)` you will have a two-step log-in process rather than
|
|
|
|
|
the old one-step process.
|
|
|
|
|
|
|
|
|
|
.. danger:: Don't lose your authenticator, if you do, you will need an
|
|
|
|
|
*Odoo Administrator* to disable :abbr:`2FA (two-factor
|
|
|
|
|
authentication)` on the account.
|