SafeLogin 2FA

Secure your Dolibarr login with modern Multi-Factor Authentication

SafeLogin is the complete 2FA security module for Dolibarr ERP & CRM. Stop relying on passwords alone — protect your business data with industry-standard authentication methods trusted by enterprises worldwide.

Why SafeLogin?

TOTP (Time-Based One-Time Password): Works with Google Authenticator, Authy, Microsoft Authenticator, and any RFC 6238-compliant app. Your users simply scan a QR code and are protected in seconds.

WebAuthn / Passkeys (FIDO2): Support for hardware security keys (YubiKey), biometrics (Windows Hello, Apple Touch ID / Face ID). Phishing-proof by design — no code to intercept, no secret to steal.

Recovery Codes: Users can generate one-time backup codes to regain access if their primary 2FA method is unavailable. No lockout anxiety.

Enforcement Policies: Admins can mandate 2FA for all users or specific roles — no more treating security as optional. Set it, enforce it, audit it.

Dedicated Permissions: Fine-grained admin right "Manage Users 2FA" for clean delegation without granting full super-admin access.

Native Integration: Plugs directly into Dolibarr's login flow with zero external dependencies — no SaaS, no third-party API calls, no data leaving your server.

Who is it for?

Any Dolibarr instance handling sensitive business data — customer records, invoices, contracts, HR data. Whether you're a solo admin or managing a team of 200, SafeLogin adapts to your security policy.

Requirements

Dolibarr 19.0.0 or higher — PHP 7.1 or higher

User Guide

Welcome to the SafeLogin Two-Factor Authentication (2FA) User Guide! This document explains how you can easily set up and manage your 2FA security to keep your Dolibarr account safe.

Understanding Your 2FA Options

SafeLogin supports two primary methods for securing your account:

1. Authenticator App (TOTP): Using apps like Google Authenticator, Authy, or Microsoft Authenticator.

2. Security Key (WebAuthn/FIDO2): Using hardware USB keys (like YubiKey) or your device's built-in biometrics (like Windows Hello, Apple Touch ID, or Face ID).

📱 Setting up an Authenticator App (TOTP)

When you access the SafeLogin 2FA Enrollment page, follow these steps to link your authenticator app:

Step 1 — Download an Authenticator App: If you don't have one, download Google Authenticator, Authy, or Microsoft Authenticator on your smartphone.

Step 2 — Scan the QR Code: Open your authenticator app, choose the option to add a new account, and scan the QR code displayed on your screen. If you cannot scan the QR code, click on the bold text secret code shown below the QR code to copy it to your clipboard and paste it manually into your app.

Step 3 — Enter the Verification Code: Your app will generate a 6-digit code that changes every 30 seconds. Type this code into the input dots on the screen.

Step 4 — Click "Verify": Submit the code. If correct, your TOTP authentication is successfully enabled!

🔑 Setting up a Security Key / Biometrics (WebAuthn)

Step 1: Look for the Security Key (WebAuthn) section on the right side of the enrollment page.

Step 2: Click the blue "Setup Security Key" button.

Step 3: Your web browser will open a security prompt. Follow your browser's instructions to touch your security key, scan your fingerprint, or use facial recognition.

Step 4: Once completed, your security key will be registered and displayed as active.

🛡️ Managing Your Recovery Codes

IMPORTANT: Recovery codes are your ultimate backup. If you lose your phone or security key, these codes are the ONLY way to regain access to your account.

Automatic Generation: As soon as you successfully configure your first 2FA method, SafeLogin will automatically generate a batch of single-use recovery codes.

Saving Your Codes: You will immediately be prompted to save them. Use the provided buttons to Copy All, Download (as a text file), or Print them. Store them in a safe, offline location.

Regenerating Codes: If you have used up your codes or feel they have been compromised, return to the 2FA settings page and click "Regenerate Codes". Note: generating new codes will immediately invalidate any old unused codes.

❌ Disabling 2FA

Step 1: Go to your 2FA settings page.

Step 2: Under the active method (TOTP or WebAuthn), click the "Disable" button.

Step 3: To protect your account from unauthorized changes, you will be prompted to enter your Dolibarr login password.

Step 4: Once your password is confirmed, the specific 2FA method will be disabled.

Keep your account secure! If your administrator has enforced 2FA, you may be required to complete this setup before you can access your Dolibarr dashboard.

By GHM LABS

Professional Dolibarr module development based in Morocco. For support, questions, or custom development, visit ghm-labs.ma.