[RFC] Two-Factor Authentication (TFA) via mobile app

[elicoidal]

Hi, It is quite frequent in China to have TFA performed via mobile (mostly Wechat, Alibaba or QQ) with the following procedure:

1. the user provides the password in the website (in this case Odoo)
2. the website displays a QR
3. User scans the QR in an APP installed in his telephone
4. Phone app acknowledges the scanning and phones back to the website service
5. User is allowed to sign in the website.

I wonder whether there is interest to achieve this in Odoo. It would require:

1. modification of the login page to include a second step to display a QR code
2. set an expiry date to the login (we have already some module for that AFAIR). eg: 24h
3. have a simple Android APP, able to login in Odoo + read the QR + send the acknowledgment

This is usually accepted simple TFA process. More complex ones could be implemented via SMS but it might imply complexity in certain countries. I can help on the Android developments as I have some resource available but I would probably need help on the Odoo part (currently fully booked and not sure to have the right guy).

Any thought?

[elicoidal]

@lasley @pedrobaeza @Yajo @moylop260 @dreispt @gurneyalex @sbidoul

[lasley]

@elicoidal Are you looking for auth_totp?

[elicoidal]

Thanks @lasley That is very similar indeed: password authentication method is different. Not sure we can inherit this module to achieve the desired procedure during the second step.

[yajo]

I wouldn't recommend to develop such an addon. auth_totp is quite awesome and easy to use, and works with an industry standard with many client apps. Besides, it lets users choose their security level. Fair enough, isn't it?

Maybe a good extension would be to do not let users choose, but enforce a given policy from the system, but it feels quite good right now as it is.

[elicoidal]

@yajo I will test the module and see if it can fulfill my requirements. Nevertheless, my proposal is to have another method which can be complementary to the current one. (as said, I will test and come back to you)

[lasley]

@elicoidal - I honestly have not heard of the process you are describing. Are you sure that the QR code isn't being scanned into the phone app for registering MFA devices?

We're looking at adding in the ability for push MFA, such as that which exists in LastPass Authenticator, but the process is nearly identical to TOTP. The only difference is that when the page asking for the MFA token appears, a push notification is sent to the device which then allows an unlock without the user entering the code.

[elicoidal]

@yajo @lasley test are fine: this is indeed a great module. Having company policy to force the users to use TFA by default is a must

[elicoidal]

closing on my side

[lasley]

Worth noting- on our end we’re planning on leveraging this core to also allow MFA via email and possibly text messages. The latter I’m torn on though, because SMS is horribly insecure (worse so than email)