Hi all,
Tired of always having to grab my phone, open an additional app and manually enter 6 digits when login in to Home Assistant with activated 2FA I dug deeper into TOTP and have found the elegant way to “one click does it all” with the free and open-source password manager keepassXC. It looks like Bitwarden offers similar function as well, but since I’m not using Bitwarden, maybe somebody else can dive into this world later.
Let’s quickly recap: TOTPs are 30 seconds valid one time passwords. Since they change very often they aren’t as sensitive as passwords. The really sensitive part of TOTPs is the key that generates the 6 digits upon time iteration.
Before I show you where you can grab this key be alerted: You’re messing with an authentication unit. If you mess up the code within this environment and can’t get into Home Assistant later I won’t be responsible. You’ve been warned but chill, it’s not magical, if I can do it, you can.
In Home Assistant config folder (where your configuration.yaml lays) is a hidden folder called ‘.storage’. You’ll maybe have to change the file explorer’s settings to make hidden elements visible, I’m confident you will find how to do this if necessary. In this folder you’ll find a file called ‘auth_module.totp’, that’s where all information for TOTP is stored. Please open it with a decent editor. It’ll loooks similar to
{
“data”: {
“users”: {
“9xxxxxxxxxxxxxxxxxxxxxxxxxxxxx2”: “BOOOOOOOOOOOOOOOY”
}
},
“key”: “auth_module.totp”,
“version”: 1
}
Under users, every Home Assistant user ID that has 2FA activated has it’s TOTP secret (qutoes aren’t part of the secret). For the example above, HA user with ID 9xxxxxxxxxxxxxxxxxxxxxxxxxxxxx2 has TOTP secret BOOOOOOOOOOOOOOOY.
Grab this line and copy it in an ampty editor sheet, we’ll need this information later. Be sure not to change anything in the file ‘auth_module.totp’ and close it.
Next step is prepare kepassxc. Befor going on here an official advisor:
Q: KeePassXC allows me to store my TOTP secrets. Doesn’t this alleviate any advantage of two-factor authentication?
A: Yes. But only if you store them in the same database as your password. We believe that storing both together can still be more secure than not using 2FA at all, but to maximize the security gain from using 2FA, you should always store TOTP secrets in a separate database, secured with a different password, possibly even on a different computer.
Open keepassxc and go to the entry with user/password of the Home Assistant user that has the ID as stated in the ‘auth_module.totp’. Right click this line, choose ‘TOTP’ and then ‘Set up TOTP …’. Enter the TOTP key from file ‘auth_module.totp’ on the top of the just opened pop up window, leave all other entries as is and confirm clicking in [OK]. You’ll find a small clock icon that shows you that TOTP is configured now.
Right click again the line for the user/password of the Home Assistant user, choose again TOTP but now go for ‘Show TOTP …’. Compare the 6 digit TOTP with the one of your known app like Google Authenticator or Authy. If it is the same you’ve done a good job.
Let’s finalize and put it all in an smart keepassxc auto type sequence. Double click the line for the user/password of the Home Assistant user to open the settings. On the left side you’ll find ‘Auto Type’, in my installation it’s the forth entry from top.
Set the radio button to ‘use user defined Auto Type sequence’ and fill out the field below with
{USERNAME}{TAB}{PASSWORD}{ENTER}{DELAY 1500}{TOTP}{ENTER}
Confirm by clicking in [OK]
How to use:
Once keepassxc is open, you can double click the column URL which will open the browser on the login page. Turn back to keepassxc, right click the line for the user/password of the Home Assistant user and choose ‘Auto Type’. Result: with that one (1) command you’ll pass the 2FA and you’re logged in, tadahhh.