2FA Lockout

I had to restore an old back up on my VirtualBox VM of HassIO. It’s running, but I no longer have access to the 2FA token so my password does not work. Is there a way to bypass 2FA?

I do have a full backup via the GoogleDrive Back Up. It’s an older version of HA. If I start from scratch can I restore from that backup if the versions are different?

Thanks in advance!


1 Like

Assuming that you can get to the VM console through Virtualbox, you should be able to log in as root and cd /mnt/data/supervisor/homeassistant/.storage. Try renaming auth_module.totp to something like auth_module.totp-orig, restart the VM, and see if that disables 2FA.

I’m just guessing here, but I don’t see any reference to 2FA in auth, but auth_module.totp just showed up when I enabled 2FA myself yesterday.

Or, you could add your local network as a trusted network in configuration.yaml, temporarily or permanently, also through the console:

    - type: trusted_networks

Or… you could follow the instructions here: https://www.home-assistant.io/docs/locked_out/


Probably need to add a trusted user as well as trusted network to bypass 2FA…

I only have the trusted_networks section above and I had to connect my laptop through my phone hotspot to test out 2FA with it in place. Otherwise, it just let me in.

How does it know what user to use to let you straight in?
I use this in my config…

# Auth & 2FA
    - type: notify
    - type: totp
    - type: trusted_networks
        - ::1
        - !secret my_ipv4_network
        - fd00::/8
        - !secret zerotier_network
        - !secret my_ipv6_network
      trusted_users: !secret user_id
        "::1": !secret user_id
        !secret trusted_ipv4: !secret user_id
        "fd00::/8": !secret user_id
        !secret trusted_ipv6: !secret user_id
        !secret zerotier_network: !secret user_id
      allow_bypass_login: true
    - type: homeassistant

So if I’m on my network or connected via zero tier it just logs in without any password or 2FA at all but if I’m on an external network I have to authenticate with user/pass/2FA code.

I haven’t really investigated how it all works. This is the entirety of my auth_providers, and I only have to enter a password/2FA if I’m on an external network:

    - type: trusted_networks
    - type: homeassistant

Maybe it defaults to “everyone”?

It’s been so long since I set this up I don’t remember. I don’t see how it can bypass login if you don’t specify a user.
Does yours prompt you to select the user?
With mine it just logs straight in with no prompt. In fact if I log out it logs back in immediately with no prompt either. (The login screen just flashes right by)

Yes, it tells me that I’m logging in via trusted networks, asks me to select a user, and then lets me right in. I think your allow_bypass_login line is what’s allowing you to completely skip the login, but that only works if you only have a single user. Or, maybe the trusted_users is what’s doing it.

I got to the level of security that I care about and immediately stopped looking :slight_smile:.

Well that explains it if it’s prompting you for the user.
The trusted user is linked to a network so it knows which user to use and bypass login is set so it just goes right in. (So nothing to do with it working only for a single user although it would only work for a single user on a specific network) Effectively it reinstates the old login functionality from before auth came in.

Thanks all! I was able to restore from a backup and got everything up and running.

Thank you, this is working fine.

1 Like