MFA/2FA recovery codes

I just set up 2FA for my account as I’m exposing it over HA cloud, however there doesn’t appear to be an option to generate recovery codes - is that supported?

It makes me a little nervous to think that if I lose or break my phone then I could be locked out of the HA system.

Would the workaround be to ssh to it locally and edit some part of the configuration to disable MFA? If that’s an option then my concern is much lower.

I’ve half-answered my own question in terms of working round this (requires “SSH & Web Terminal” to be installed).

SSHing to the server locally, I can delete the users section in /config/.storage/auth_module.totp to disable MFA.

In the meantime - you should be considering what solution you use for TOTP, because as you have pointed out - if you lose your phone you might be locked out. But Home Assistant won’t be the only thing you might be locked out of. You should ALWAYS ensure that you have another device that has the same TOTP codes on it.

Thanks for the response, Andrew - totally get that, which is why the option to generate recovery codes should be considered a mandatory step in any MFA solution. I wouldn’t use a cloud solution that did not allow me to create these recovery codes for the very reason you state.
I’m (now) less concerned about Home Assistant as it’s a local service that I can hack to get round MFA if needed.

You should ALWAYS ensure that you have another device that has the same TOTP codes on it.

I’m not sure that’s an option, is it? I understood the handshake was between the MFA app and individual devices - I don’t recall seeing an option on other systems to have multiple MFA authentication devices (but I could be wrong, of course).

No it’s not a method of the actual TOTP system to have multiple clients, it is down to the Authenticator app you use.

For example I use EnPass (other password managers are available). It does not default to using any cloud solution and is a local password manager, but you can choose to backup / sync via whatever 3rd party cloud provider you like, or even your locally hosted cloud storage system like NextCloud / OwnCloud.

This means that I have access to my TOTP codes on my laptop, phone, chromebook, watch and gaming PC. LastPass and other password managers also provide this functionality to ensure your TOTP codes are available on all your devices.

1 Like