Table of Contents

  1. Introduction

  2. Understanding the Importance of Two-Factor Authentication (2FA)

  3. Security Threats in ERP Systems Without 2FA

  4. Overview of Dolibarr’s Authentication Mechanism

  5. Core Requirements for Enabling 2FA

  6. Types of 2FA Supported by Dolibarr

  7. Preparing Your Dolibarr Environment for 2FA

  8. Installing and Activating the Two-Factor Authentication Module

  9. Setting Up Two-Factor Authentication for Administrators

  10. Setting Up 2FA for End Users

  11. Using Google Authenticator with Dolibarr

  12. Using Email-Based OTP for 2FA in Dolibarr

  13. Customizing the 2FA Prompt Message and Login Flow

  14. Managing Recovery Options for Locked-Out Users

  15. Logging and Monitoring 2FA Events in Dolibarr

  16. Best Practices for Enforcing 2FA Across the Organization

  17. Integrating 2FA with LDAP and External SSO Solutions

  18. Auditing User Compliance with 2FA Policies

  19. Troubleshooting Common 2FA Issues

  20. Conclusion and Future of Secure Authentication in Dolibarr

1. Introduction

In today’s cybersecurity landscape, protecting enterprise data goes beyond setting a strong password. As businesses rely more heavily on ERP platforms like Dolibarr to manage critical operations, securing user accounts becomes vital. Two-Factor Authentication (2FA) provides an additional layer of security by requiring a secondary form of identification beyond just a password.

This comprehensive guide walks you through enabling and managing 2FA in Dolibarr without requiring extensive technical expertise.

2. Understanding the Importance of Two-Factor Authentication (2FA)

2FA significantly reduces the risk of unauthorized access by combining two forms of identity verification:

  • Something you know: your password

  • Something you have: a code from an app or email

If an attacker compromises your password, they still need the second factor to gain access.

3. Security Threats in ERP Systems Without 2FA

  • Credential theft through phishing

  • Brute-force attacks on login endpoints

  • Insider threats with reused or weak passwords

  • Malware-based password logging

For systems managing financial, CRM, inventory, and HR data, the lack of 2FA creates significant risk.

4. Overview of Dolibarr’s Authentication Mechanism

Dolibarr uses a session-based login system with default support for:

  • Username/password

  • LDAP/Active Directory (optional)

  • External authentication modules (via API)

As of version 15+, support for 2FA is available via core and external modules.

5. Core Requirements for Enabling 2FA

  • Dolibarr version 15.0 or higher (recommended v18+)

  • Access to Dolibarr admin panel

  • HTTPS-enabled server environment

  • (Optional) Mobile authenticator apps (e.g., Google Authenticator, Microsoft Authenticator)

6. Types of 2FA Supported by Dolibarr

  • Time-based One-Time Passwords (TOTP)

  • Email-based One-Time Passwords

  • Third-party integrations via OAuth or SAML (for external identity providers)

TOTP is the most commonly used and secure option.

7. Preparing Your Dolibarr Environment for 2FA

Before activating 2FA:

  • Ensure all users have valid email addresses in their profiles

  • Backup your database

  • Notify users about upcoming security policy changes

8. Installing and Activating the Two-Factor Authentication Module

Navigate to:

  • Home > Setup > Modules

  • Enable the "Two-Factor Authentication" module (core or custom)

If using a third-party module from Dolistore, upload the module via FTP to the /custom/ directory and activate it.

9. Setting Up Two-Factor Authentication for Administrators

Administrators should enable 2FA first to test functionality:

  • Go to "Users & Groups > Your User > Security Settings"

  • Enable 2FA and choose the method (TOTP or email)

  • Scan QR code using authenticator app

  • Enter generated code to complete setup

10. Setting Up 2FA for End Users

Admins can:

  • Allow users to self-enroll in 2FA from their profiles

  • Enforce mandatory 2FA for all users (via module settings)

  • Set expiration for initial setup period

Best practice: Offer support during the transition period.

11. Using Google Authenticator with Dolibarr

  • Install Google Authenticator on your mobile device

  • Scan the QR code displayed in the Dolibarr 2FA setup page

  • Input the 6-digit code to confirm

Dolibarr stores a seed key per user in encrypted form and validates codes using the TOTP algorithm.

12. Using Email-Based OTP for 2FA in Dolibarr

If users don’t have smartphones:

  • Enable email OTP mode

  • Upon login, a code is sent to the registered email

  • The user inputs the code to complete login

Ensure email configuration is functional in Setup > Email.

13. Customizing the 2FA Prompt Message and Login Flow

Some modules allow customizing:

  • The message displayed during 2FA prompt

  • Branding elements of the 2FA screen

  • Timeout and retry limits

Advanced templates can be modified without touching core PHP files.

14. Managing Recovery Options for Locked-Out Users

For users who lose their second factor:

  • Admins can disable 2FA temporarily from the admin panel

  • Set up recovery codes during enrollment

  • Use email verification for fallback authentication

Create a policy to verify identity before re-enabling accounts.

15. Logging and Monitoring 2FA Events in Dolibarr

  • Access logs via Tools > Audit or Admin Tools

  • Enable system event logging for login attempts

  • Use third-party logging modules for more detail (e.g., login source, IP, device)

Monitor for failed attempts or brute-force behavior.

16. Best Practices for Enforcing 2FA Across the Organization

  • Start with admin and finance users

  • Gradually include all users

  • Set expiration for 2FA codes (30-60 seconds)

  • Audit usage monthly

  • Make 2FA mandatory in high-risk modules (Accounting, HR)

17. Integrating 2FA with LDAP and External SSO Solutions

If using LDAP or AD:

  • 2FA must be handled externally (e.g., via ADFS)

  • Dolibarr can accept SSO tokens from identity providers

  • Combine with firewalls and VPNs for layered security

Contact your IT provider for SAML/OAuth integration.

18. Auditing User Compliance with 2FA Policies

  • Generate user lists and check 2FA status fields

  • Report on inactive or unprotected accounts

  • Notify non-compliant users with reminders

Regular auditing reinforces accountability and compliance.

19. Troubleshooting Common 2FA Issues

  • Time sync issues with TOTP apps: ensure device time is auto-updated

  • Emails not received: check SMTP configuration

  • Users locked out: have a recovery SOP in place

  • Module conflict: test in staging before production deployment

20. Conclusion and Future of Secure Authentication in Dolibarr

Two-Factor Authentication is one of the most effective defenses against unauthorized access to Dolibarr ERP. As cyber threats evolve, Dolibarr’s ecosystem continues to integrate enhanced security features through both core tools and community modules.

Enabling 2FA should be part of every organization's digital security hygiene. Whether you're managing HR, CRM, accounting, or inventory, adding this extra layer ensures your data—and your clients’ trust—is protected. Looking ahead, biometric authentication, device recognition, and AI-driven fraud detection may become part of Dolibarr’s authentication roadmap.

Start implementing 2FA today for a safer, more resilient Dolibarr deployment.