========================= Two-factor Authentication ========================= Two-factor authentication ("2FA") is a good way to improve the security of an account, to make it less likely that an other person will manage to log in instead of you. Practically, it means storing a secret inside an *authenticator* (usually your cell phone) and exchanging a code from the authenticator when you try to log in. This means an attacker needs *both* to have guessed (or found) your password and to access (or steal) your authenticator, a more difficult proposition than either one or the other. Requirements ============ .. note:: These lists are just examples, they are not endorsements of any specific software. If you don't already have one, you will need to choose an authenticator. Phone-based authenticators are the easiest and most common so we will assume you'll pick and install one on your phone, examples include `Authy `_, `FreeOTP `_, `Google Authenticator `_, `LastPass Authenticator `_, `Microsoft Authenticator `_, ...; password managers also commonly include :abbr:`2FA (two-factor authentication)` support e.g. `1Password `_, `Bitwarden `_, ... For the sake of demonstration we will be using Google Authenticator (not because it is any good but because it is quite common). Setting up two-factor authentication ==================================== Once you have your authenticator of choice, go to the Odoo instance you want to setup :abbr:`2FA (two-factor authentication)`, then open :guilabel:`Preferences` (or :guilabel:`My Profile`): .. figure:: media/totp_setup/preferences.png :align: center Open the :guilabel:`Account Security` tab, then click the :guilabel:`Enable two-factor authentication` button: .. figure:: media/totp_setup/sec_tab.png :align: center Because this is a security-sensitive action, you will need to input your password: .. figure:: media/totp_setup/sec_enhanced.png :align: center After which you will see this screen with a barcode: .. figure:: media/totp_setup/totp_scan.png :align: center In most applications, you can simply *scan the barcode* via the authenticator of your choice, the authenticator will then take care of all the setup: .. figure:: media/totp_setup/scan_barcode.jpg :align: center .. note:: If you can not scan the screen (e.g. because you are doing this set-up on the same phone as the authenticator application), you can click the provided link, or copy the secret to manually set-up your authenticator: .. figure:: media/totp_setup/secret_visible.png :align: center .. figure:: media/totp_setup/input_secret.png :align: center Once this is done, the authenticator should display a *verification code* with some useful identifying information (e.g. the domain and login for which the code is): .. figure:: media/totp_setup/authenticator.png :align: center You can now input the code into the :guilabel:`Verification Code` field, then click the :guilabel:`Enable two-factor authentication` button. Congratulation, your account is now protected by two-factor authentication! .. figure:: media/totp_setup/totp_enabled.png :align: center Logging in ========== You should now :guilabel:`Log out` to follow along. On the login page, input the username and password of the account for which you set up :abbr:`2FA (two-factor authentication)`, rather than immediately enter Odoo you will now get a second log-in screen: .. figure:: media/totp_setup/2fa_input.png :align: center Get your authenticator, input the code it provides for the domain and account, validate, and you're now in. And that's it. From now on, unless you disable :abbr:`2FA (two-factor authentication)` you will have a two-step log-in process rather than the old one-step process. .. danger:: Don't lose your authenticator, if you do, you will need an *Odoo Administrator* to disable :abbr:`2FA (two-factor authentication)` on the account.