2FA is supposed to make your account more secure. But I think having the 2FA window appear after the password is a security risk.
Because if someone is able to find out the login and password and he fails to enter the correct 2FA. Just having the 2FA window appear will give him the confirmation that the login and password is correct and the home assistant user would have no clue that his login details has been compromised. If someone is using the same login and password for other things, those things will be compromised as well.
What I would suggest is that the username, password and 2FA code should be entered in the same window to login to home assistant. If either of those three things are incorrect then the message ‘invalid login’ should appear. This way the attacker will have no idea if any of the login details he has entered are valid.
Well if you are not able to use basic security rules for login which implies to use separate login/pass for each account, HA can’t be responsible for that
This is very common practice. The reason is that 2FA being turned on is in many systems (including HA) a account by account thing. You can’t know if they account is configured for 2FA (or what type of 2FA for systems that support multiple ones) until the initial account authentication is performed.
2FA straddles the Authentication and Authorization phases of AAA (Authentication, Authorization, and Auditing) leaning mostly on the second side of that.
Adding a request for a 2FA code on the login screen could easily confuse users that do not have 2FA configured at all.
Well in that case, 2FA window should appear even if you enter a wrong login or password. In the current implementation if you enter an incorrect login or password, you are told that the password is invalid and you don’t get the 2FA window.
That doesn’t add anything for security and is terrible user experience. User logs in, has a typo in their user or password, gets the 2FA prompt and repeatedly enters 2FA tokens to try and log in.
Also, depending on the 2FA type, it’s not even possible.
No other website that I know of has the 2FA prompt on the same window, or makes it appear even with a wrong password - why would it? A) is impossible because there’s different 2FA methods and you don’t know which one to use, and it confuses people not using 2FA. And B) makes it trivial for an attacker to figure out that a given account exists and that he just has the wrong password. And, even worse, it would leak to the attacker if the user uses 2FA, and which 2FA methods he uses.
