Manage Odoo authentication with logins, 2FA & SSO access

Odoo protects business data with login-based identity control

Odoo systems often contain sensitive data across accounting, HR, customer records and more. Because of this, user authentication becomes a critical layer of defence against unauthorised access and data breaches.

Every internal login is connected to an Odoo user with a license. This makes identity control relevant for both security and budgeting purposes.

Odoo lets you set up logins for individual users or shared roles. Shared users, like those used at terminals or scanners, are available but should be used with clear purpose and oversight.

Odoo login screen for backend and portal access.

Two-factor authentication is a default for secured Odoo logins

Odoo’s default authentication uses a simple email and password. For accounts with higher access levels, two-factor authentication (2FA) adds an extra layer of security. This can be enabled using built-in features or third-party modules.

Types of Odoo authentication that are supported natively

In supported versions of Odoo, two-factor authentication (2FA) works with an authenticator app installed on the user’s smartphone, like Google Authenticator or Microsoft Authenticator:

1. The user logs into Odoo on their computer and goes to their account settings.
   
   
2. They enable two-factor authentication (2FA), which displays a unique QR code on screen.
   
   
3. Using their smartphone, they open an authenticator app like Google Authenticator or Microsoft Authenticator.
   
   
4. They scan the QR code with the app, which links the app to their Odoo account.
   
   
5. From that point on, the app on their phone generates a 6-digit code that refreshes every 30 seconds.
   
   
6. Each time the user logs into Odoo on any device, they enter their usual password first, then open the app on their phone to get the current code, and enter that as the second step.

These one-time codes are tied to the user’s device, which means only someone with physical access to the phone can log in even if they know the password.

Other methods, such as SMS or email-based 2FA, are also possible using third-party modules.

What’s not covered by 2FA in Odoo

2FA does not apply across all system features. Some modules have their own identity verification methods.

• The eSign feature supports SMS, email, geoIP or handwritten e-signature for identity verification.
• The Attendance app supports badge numbers for check-in, not login.

Odoo authentication integrates with external identity providers

Odoo can be integrated with Single Sign-On (SSO) using OAuth2, SAML or LDAP. This is relevant for organisations using identity providers like:

• Microsoft Azure AD
• Google Workspace
• Okta
• Keycloak.

Integrations are implemented via third-party connectors or custom development. Once set up, users log in with existing credentials.

Each internal user requires an Odoo licence, regardless of which authentication method they use to log into the system.

Odoo assigns access through user roles and permissions

Once logged in, users receive access based on defined roles. Odoo supports fine-grained control of both visibility and functionality.

User types

• Internal users: Full access to backend apps.
• Portal users: Limited access to shared records.
• Public users: Website access only, no login required.

Access levels in Odoo

Odoo lets you define access rights per user across key areas of the system. In the user settings, you can assign role-based access levels to specific apps such as Sales, Helpdesk or Website.

This allows you to quickly configure what each person can see and do, without having to manage every permission manually.

You can combine these app-level settings with groups, record rules, and access control lists (ACLs) to create more advanced permission structures. 

Access rights in Odoo are assigned per app and role, visible in the user’s settings screen.

Access control architecture

Odoo applies a layered permission system:

1. Access Control Lists (ACLs) define model-level rights such as create, read, write or delete.
2. Record Rules filter access down to specific records.
3. Group controls define which menus and features users can see or use.

Odoo includes over 50 preconfigured groups. These can be customised or combined as needed. The system is scalable from small teams to multi-company setups with thousands of users.

Access rights in Odoo are assigned per app and role, visible in the user’s settings screen.

Licences and shared logins

Odoo treats every login as one user. This includes:

• Named logins, for traceability.
• Shared logins, for scanners or kiosks.

FYI: Inactive Odoo users can be archived, which disables their login and removes them from your licence count. Access remains restricted through both the app and database. This lets you retain full history without paying for unused accounts or losing data from these users.

Best practices to keep your Odoo authentication secure

Good access management relies on more than settings. Day-to-day maintenance plays a key role in keeping systems secure and audit-ready.

Recommended practices include:

• Enable 2FA wherever supported.
• Use named users for all staff roles.
• Review access rights on a regular basis.
• Archive or remove accounts that are no longer in use.
• Limit access by role, department or company.
• Review external identity settings if SSO is enabled.

In multi-company setups, access is filtered by company. The system ensures users only see records linked to the companies they are assigned to. Combined with group-level rights and record rules, this ensures visibility stays clean and secure.

Odoo groups define who can access apps, models and menus.