Avoiding 2FA lockout

I activated 2FA few months ago and now I decided to buy a new smartphone because I lost the prev one.
When I try to authenticate using User+Passw it asks for OTP which is sent as notification to that lost device.
I have running/actived session on few PC/browsers but that notification is just sent to Companion App…
It’s not a big deal because I have full Terminal access to temporarily add a new Trusted Network IP:User setting, but this is a bit tricky.

It would be nice to send OTP even in current active browser sessions of same user, or something else to avoid lockout.

My TOTP app allows to do a backup. It even reminds me to do a new one after adding another seed.

You should also backup to don’t loose access!

1 Like

Which could be used to bypass the OTP
Function. :wink:

Maybe instead of sending to active session, having a list of one use backup codes would align better with current industry practices?

Send otp to preset email is possible or some other service like telegram

You could setup some api endpoint that may be used to trigger automation that send notification


Two factor qr code may be printed and stored in physically safe location so if phone is lost you may restore otp to new device

I think second option may be safest. The First could be similar to any other service. You may password protect the api to add more security

Why not just backup the seed?

Should be supported by any proper otp APP (like aegis)?

Also if you use a password fault/safe you should back it up.

In case you habe valuable data you don’t want to loose just back it up.

Backup is the key


Agree that backups are critical, but setting up backups might not be the most obvious or most straightforward solution to a layperson.

Installing another App just to join MY HA once seems a bit ridiculous…
I would like something “normal” and not a “trick”.

At this time enabling 2FA could lockout its Admin if his device is currently not available and it’s not normal

Isn’t 2FA with a recovery code no different than
2FA with password backup where password is strong and password is never used and changed if used for recovery? Is there real technical difference?


Any 2FA system I’ve used allows alternative methods for login, HA don’t do this.
If OTP is sent just on the phisical device(s), it could be possible (like my case) to be locked out because my device is lost or not working.
Auth alternatives are offered but:

  • using another App just ones-per-year(s) seems stupid and, moreover, I don’t want to mess my complete offline-HA-instance with an online 3rd party internet software especially for logins (lucky you if you trust this kind of things…)
  • Trusted Network cannot be used due to mobile connectivity casual IP

So there isn’t any other method for login and an Admin, even if it knows user and password, is locked out from HIS system.
In a “normal system” loosing a password can be fixed by resetting it using appropriate procedure and/or (for 2FA) sends the notification/OTP to a different channel (HA do not), so saying me that “loosing the only one registered Device is similar to loosing password” is not true.

Sorry. forgot 2fa was separate from other auth provider but I still dont see the problem.

If you are using TOTP you can just set this up as sensor and see the code in HA so no need to send to a logged in user. (I think that is what you meant in your original suggestion)
I get it, you dont want to do that and not sure how that affects security; that is why they suggest using Authenticator app so that if you switch phone you can move the 2fa generator. Losing phone could temporarily slow you down until you get home to the “seed” that you smartly placed in a secure location to allow recovery on the new phone you just purchased OR you did the online backup of authenticator app and codes (which I do not recommend).

Authenticator apps are offline. I remember back in the late 1990s they’d give us those credit card size things that would change codes every minute so we could log into dial up VPN. Doubt that relied on connectivity and unless the app is just trying to serve ads I am pretty sure it just needs the correct time.

Lots of things require a 2fa code. Mostly techy stuff that care to be more secure than sending the code to you and anyone with a cloned phone a text. If you like that better than installing authenticator app, HA allows that also if you use Notify MFA. If you dont want to use the app use the notify service. OR keep the current method and just keep the seed handy in your wallet and install/setup/deinstall app the one time you switch phones or need to login.

1 Like

Which often takes all the advantages (security!) 2fa offers!

Correct, TOTP (time based one time passwords) works completely offline and can be easily backed up like people (hopefully) do with other stuff they don’t want to loose…

1 Like

Nope, I said i LOST my only one device so the OTP will be only sent at that LOST device, so there isn’t any other way to get that code beside go out and find the device…

I’m not using any kind of alterntive App/Cloud/Service for Auth in any service in my life…neither “login with FB/Google/Tweeter” buttons.
I’m using each service’s sign-in and login procedure because there are simple, easy and each one is responsible for only that Account.
Morover an OFFLINE software like my HA: there isn’t any reason to link a Cloud based service with my complete-offline HA just for 1 time in my life…(I hope to not loose my device so often).

…and requires a generated secret at setup that will be used as a MASTER password. So 2FA becames just bulls*it if a “backup password” (the secret) is needed for login when the device is lost. Its like a backup-password and nothing more.

This is how it works if the server has updated time.
My offline HA could have difference of few minutes because it’s completly offline beside a passthrough for Google Messaging (push notification)

So I have to setup a complete MFA using (for example Telegram) to receive a code for Auth, when HA (by itself without doing anything) could just send that code as Notification to all actived session of that specific user? LOL…
service.persistent_notify” is already prepared and working to send notify, so why any use have to do a boring and long procedure for this purpose? It’s complete no-sense.
Of course “all can be done” (even, for example, obey users to have a different HA App for each Dashboard, LOL), but if it’s stupid I don’t think that it’s the right way…

T(ime_based)O(ne)T(ime)P(asswords) are NOT send to a device but generated locally (offline) from a seed (qr code) that should be backed up (like all stuff that matters/you don’t want to loose).

I actually hope you start to value backups and start doing them!

1 Like

I already wrote that it’s not much different than having a normal BACKUP password (that we should not forget/lost) to use when the main one is forgotten, and it obey us to install a 3rd party App just for this one-time/easy step…it’s a stupid method, IMHO, when there are other better methods without doing anythong more to use them.

At THIS moment the BUG is:

if an Admin enables “2FA Notify” and losts his only device, there isn’t any method to solve the situation beside to have already enabled MFA using TOTP or do a login via SSH and unlock this situation.

No ANY documentation warns about: “if you enable 2FA Notify you have to enable even TOTP (by use a 3rd party App) to be sure to not be locked-out”.

The most quickly solution could be sending the code to ALL user sessions hoping that at least one is currently active, but it’s easy to implement, no any 3rd App or “thing” to save/backup, etc…

Not sure on which platform you are but I just installed one app for TOTP because my OS didn’t ship with a “first party one” (from google or apple or what could that be?).

Convinetly this App promotes to do an encrypted backup of the seed the moment I add one.

Beside it has a much better rating that “google authenticator” which seems to miss even basic functionalty…

Don’t think so. I think it’s stupid to undermine the security of offline/cold TOTP system by “connecting” it essentially trying to re-invent HOTP(?).

That’s good. Many providers don’t take 2fa seriously and allowing their employees (mods/admins) to just disable it on demand/request which was and probably is succesfully used for social engineering attacks on other people accounts.

Wasn’t the definition of 2FA something you FORGOT and something you LOST?

Lucky you everything can be backed up before it is to late!

Again: TOTP is completely offline. Your App that generates a password from a seed does not need internet access. The app I used called aegis has no network permission at all (not local & no internet) and allows easy encrypted backups or exports.

1 Like

I’m using a lot of 2FA in different online services but no-anyone of them lacks of usability like this. In ALL those services if you lost email account, device (for push notification or SMS receving) there are ALWAYS other methods to finish the 2FA process: another actived channel/session for notifications, a 2nd/3rd email address, a phone call, answers to predefinited questions, and so on.
HA doesn’t have anything of those but supports only an OPTIONAL (it means: NOT mandatory) feature (the TOTP) that obeys Admin (the ADMIN!!!) do have a 3rd party App (neither the HA Compaion App itselfs…it’s ridicolous) to be allowed to access in HIS OWN system.
This doesn’t deserves other words…it’s completly ridicolous.

And I’m writing as a Software Developer who has already implemented dozen of 2FA methods in 25years of development.

I hope you weren’t in charge for the plenty of badly implemented 2 factor authentications that could/can easily circumvened by third parties because they essentially include a backdoor disabling 2FA.

Having a “secret key” like TOTP uses, it simile to have a backup password, a secret answer for a private question, a secondary e-mail/channel/session where send the new link/code and so on.
Lost that TOTP secret key is the same of lost secondary email account access, forgotten the answer of a secret question, etc… and viceversa.
It’s not so different.

But this implementation of TOTP obeys users to install a 3rd party app and only for ONE time usage. It’s completly absurde like the need to change the whole house’s wall/door when we lost lock key.