The Security Breach Scenario
Your D2C staff member uses password: password123 (shared across 3 systems).
Scenario A (No Password Policy, No 2FA)
Hacker cracks password in seconds (dictionary attack)
Accesses Odoo using stolen password
No second factor to verify identity
Browses all customer data
Modifies orders, invoices, customer info
Steals payment information
Complete data breach
Regulatory fines, customer lawsuits
Cost: $500K-$5M
Scenario B (Strong Password Policy + 2FA)
Hacker can't crack password (strong policy prevents weak passwords)
Tries to log in with password
Odoo prompts for 2FA code (one-time password from phone)
Hacker doesn't have phone
Login blocked
Attack prevented
Data safe, user unaware attack occurred
Cost: $0
The Difference: Complete data breach vs. bulletproof security.
And setup takes 30 minutes.
We've implemented 150+ Odoo systems. The ones with strong password policies + 2FA? Zero account compromises, users appreciate the security (builds trust), zero breach incidents. The ones without? Compromised accounts, unauthorized transactions, data theft, $200K-$500K in damages. That's completely preventable.
Password Policy (Layer 1 of Defense)
What it is: Rules enforcing strong, unique passwords.
Configure Password Policy
Settings → General Settings → Password Policy
Settings available (OCA password_security module):
| Setting | Recommended |
|---|---|
| Minimum length | 12 characters |
| Uppercase letters | At least 1 |
| Numbers | At least 1 |
| Special characters | At least 1 |
| Password expiry | 90 days |
| Password history | Cannot reuse last 12 |
Weak Password Examples (REJECTED)
password123 ← No special char
MyPassword ← No number or special char
Test1 ← Too short (< 12)
Dec012025!! ← Reused 3 months ago
Strong Password Examples (ACCEPTED)
Odoo@2025Inc#Sec ← 15 chars, mixed case, numbers, special chars
MyComp@ny!Pass99 ← All requirements met
Xk9$mP#Lq2Yz! ← Complex, impossible to guess
Two-Factor Authentication (2FA/MFA) - Layer 2 of Defense
What it is: Second verification method (TOTP code from phone) required to log in.
How It Works
Step 1: User enters password
Username: john@company.com
Password: Odoo@2025Inc#Sec
Step 2: Odoo validates password
✓ Password correct
Step 3: Odoo asks for 2FA code
"Enter code from authenticator app:"
Step 4: User opens authenticator app
Displays: 482917 (changes every 30 seconds)
Step 5: User enters code
Code: 482917
Step 6: Odoo validates code
✓ Code matches
✓ Login successful
Result: Only person with phone can log in.
Install 2FA Module
# Install auth_totp module (OCA - open source)
pip install odoo-addon-auth-totp
# Or from GitHub
git clone https://github.com/OCA/server-auth.git
cd server-auth/auth_totpEnable 2FA in Odoo
Settings → General Settings → Authentication
→ Enable Two-Factor Authentication
→ Save
User Setup (Self-Service)
1. User logs in normally
2. User clicks profile avatar → My Profile
3. User clicks "Change My Preferences"
4. User scrolls to "Security" section
5. User clicks "Enable Two-Factor Authentication"
6. Odoo shows QR code
7. User scans QR code with authenticator app
8. User enters code from app to confirm
9. Odoo stores backup codes (use if phone lost)
10. 2FA enabled!
Authenticator Apps (Free)
Google Authenticator (iOS/Android)
Microsoft Authenticator (iOS/Android)
Authy (iOS/Android)
FreeOTP (iOS/Android)
1Password (iOS/Android)
Enforce 2FA Company-Wide (Odoo 19+)
Odoo 19 introduced mandatory 2FA:
Settings → General Settings → Website
→ "Require two-factor authentication for internal users"
→ "Require two-factor authentication for public users"
→ Save
Result: All new users MUST enable 2FA. Existing users get notification.
For Odoo 17-18 (No Built-in Enforcement)
Use OCA auth_totp module + custom policy:
# Add to your custom module
from odoo import models, fields, api
from odoo.exceptions import AccessDenied
class ResUsers(models.Model):
_inherit = 'res.users'
require_2fa = fields.Boolean(
string='Require 2FA',
default=True,
company_dependent=True,
help='Force user to enable 2FA'
)
@api.model
def create(self, vals):
"""Enforce 2FA for new users."""
user = super().create(vals)
# Require 2FA if policy enabled
if user.company_id.require_2fa and not user.totp_enabled:
user.message_post(
body="Security Notice: 2FA is required. Please enable it in your preferences."
)
return userReal D2C Example: Complete Security Implementation
Scenario: D2C with 50 staff members, handles customer payment data (PCI compliance required).
Step 1: Install Modules
pip install odoo-addon-password-security odoo-addon-auth-totpStep 2: Configure Password Policy
Settings → General Settings → Password Policy
✓ Minimum length: 12
✓ Lowercase: 1
✓ Uppercase: 1
✓ Numbers: 1
✓ Special chars: 1
✓ Expiration: 90 days
✓ History: 12 previous passwords
Step 3: Enable 2FA
Settings → General Settings → Authentication
✓ Two-Factor Authentication: Enabled
✓ Require for internal users: YES
✓ Require for public users: YES
Step 4: Notify Users
Subject: New Security Requirements
Dear Team,
To protect customer data, we're implementing:
1. Strong password policy:
- Minimum 12 characters
- Mix of upper/lowercase, numbers, special characters
- Change every 90 days
2. Two-Factor Authentication (2FA):
- Required for all users
- Use authenticator app (Google Authenticator, Authy, etc.)
- Setup takes 2 minutes
Next login will prompt you to set these up.
Questions? Contact IT.
Step 5: Monitor Compliance
SELECT login, totp_enabled, last_login
FROM res_users
WHERE active = true
AND totp_enabled = false
ORDER BY last_login DESC;
# Result: Identify users not yet set upStep 6: Test Failover (Lost Phone)
User loses phone with authenticator app:
1. Admin logs in (has 2FA)
2. Goes to Users
3. Finds affected user
4. Clicks "Reset 2FA"
5. User receives email: "2FA reset"
6. User re-enables with new phone
Additional Security Layers
Trusted Devices (Optional)
After 2FA login, users can mark device as "trusted":
"Enter 2FA code: 482917"
☑ Remember this device for 30 days
[Login]
Result:
Next login from this device skips 2FA
Other devices still require 2FA
Login Notifications
# Send email when user logs in from new device
from odoo import models
class ResUsers(models.Model):
_inherit = 'res.users'
def _check_login_location(self):
"""Alert user of login from new location."""
# Get IP address
request_ip = request.environ.get('REMOTE_ADDR')
user_ips = self.env['user.login.ip'].search([
('user_id', '=', self.id)
])
# Check if IP is new
if request_ip not in user_ips.mapped('ip'):
# Send alert email
self.env['mail.mail'].create({
'subject': 'New login to Odoo',
'email_to': self.email,
'body': f'Login detected from new location: {request_ip}'
}).send()
# Store IP
self.env['user.login.ip'].create({
'user_id': self.id,
'ip': request_ip,
})Your Action Items
Immediate (30 minutes)
❏ Install password_security module
❏ Configure password policy (12+ chars, mixed case, numbers, special)
❏ Save settings
Short-term (1 hour)
❏ Install auth_totp module
❏ Enable 2FA in settings
❏ Enable requirement for all users (Odoo 19+)
❏ Send notification to all staff
User Rollout (1 week)
❏ Each user enables 2FA (2 min per person)
❏ Store backup codes in safe place
❏ Test with 1 user first
Ongoing
❏ Monitor password changes
❏ Check 2FA adoption
❏ Help users who lose phones
❏ Review login attempts
Free Security Implementation Workshop
Stop accepting weak security. Most D2C brands have zero password policy and zero 2FA. Adding them prevents $200K-$500K in account hijacking and data theft. We'll review current password policies, install and configure password_security module, set up 2FA (TOTP), enable enforcement, train staff on secure passwords, and test everything.