I have been using DUO.com with a few projects now including Guacamole and VMware Horizon. The service works fast and always as expected. I enter my user name and password and get a push to my phone or smart watch. I can then accept or deny the login from my smart watch of phone with the push of either accept or deny button. I would love to see something like this for Hassio.
I’m going to take a look at implementing this. If anyone else has started this or wants to please let me know.
I’m new to developing for HA but I’ve worked out I need to create an MFA component. I’ve copied the insecure example as well as test editing the totp module.
I’m currently stuck as I need to insert an iframe into the polymer-dialog. It looks like the front end may not allow this or I’ve got to wrap the HTML code in the correct tags for the front end to understand it’s html. Currently it’s been displayed as
Lots more to understand about how the frontend works and more source code to read before saying it’s not possible though.
Are you still working on this @JumpMaster? I’d like to use Duo as well and wouldn’t mind seeing if I can help. Not sure if you have a git repo up with the code currently or not
I’ve made a couple of PRs now and learned a lot more about this process. I’ve also looked into how the MFA code works and it currently isn’t compatible with Duo. The MFA system takes a description (e.g. please enter your google auth code) and a field (e.g. a field for 6 numbers).
This isn’t compatible with Duo which would require an iFrame along with a few other fields. To implement this would require a lot of code changes to the front end and probably an issue raised within the architecture repo.
I’ve had an issue open for 12 days which hasn’t had an update. This is holding up two PRs I’ve raised but as they edit a base object it has to be agreed via the architecture repo.
I think the first step should be to raise the issue in architecture. At least find out if the team are interested in Duo support. If there not interested it won’t get there time. They’re all extremely busy and know what they want to achieve. If we’re going to take their to look at something else it has to interest them.
I’m happy to help and would like Duo support but I’m not sure it’s the most important thing to add to HA at the current time.
There’s a pretty nice PR which seems stalled adding web auth as an MFA.
Thanks for getting back, I’ll see if I can find the issue you raised and add my support. Seeing as how this project is for home automation and for it to be practical you need to expose your internal network externally, I think supporting more MFA platforms should be on the bucket list. I know they’re busy so if there’s anything we can do to get some more support around this and also help them achieve the goal once they roadmap the request, I’m more than happy to dig in and learn/help any way that I can.
What might be more interesting / beneficial would be to have a 2fa system which uses the official mobile apps. So upon signing in you can either use Google Auth or confirm the prompt within the mobile app. In the same way Duo does.
This would require an addition to the mobile api and an app (for testing) and eventually to the mobile app.
But again does this add anything important to HA? It would be slightly more convenient to be able to click a prompt but opening Google Authenticator or Auth when logging in isn’t hard. I assume everyone selects “Remember me” on their devices so logging in is not a frequent task.