Home Assistant Security (especially when using add-ons)

I have been checking the strength of all the passwords for HA users because I am preparing to open a port for my HA.

However, I use the Mosquitto add-on and I can’t use 2FA for the HA user that I have created specifically for access to the MQTT broker. Is there a way around this because if not it seems like a bit of a security issue.

Not in of itself it isn’t, but having one user without 2FA does seem to diminish the point of using 2FA for any users.

Or am I wrong?
Or is there a way around this?

I don’t think that should be an issue unless you want to open the MQTT broker to the internet. A potential hacker would first need access to your network before he can access the MQTT broker and if he already has access to the network it’s anyway too late.

1 Like

If he’s using a home assistant user for mqtt that can also be used to log in to home assistant.

Personally I think it’s a small target in a big pond and just use a very strong password.

Interested to hear alternatives though.

1 Like

Ok, didn’t know that, thanks for the info.

Yes, that was the point I was trying to make.

I guess you could use a local user defined in the mqtt addon config.