not a feature request for HA but for Nabucasa Cloud account administration.
Nowadays there shouldn’t exist publicly accessible services only secured by username/password but with MFA. Still, our Nabucase Cloud account admininistration is lacking MFA. Even thought I have access to:
Please, please, DO implement MFA. It scares me every time I login to this thing and am not asked for a 2FA authentication. Literally anyone in the world could login to my system, if they’re able to get hold of my password.
I was surprised there was not even TOTP as a possible option for 2FA. Please do implement this as soon as possible; I feel rather insecure using this service otherwise
This is exactly the reason why I now canceled my subscription (Even though I really would like to support Home Assistant).
I posted this discussion for over 2 years ago, still nothing happened. This is far too risky.
Agreed. I really love HA and Nabu Casa. But am seriously considering cancelling my subscription, because it’s such an egregious security vulnerability to expose my system to the entire world with simply a user ID and password. That’s really unacceptable in this day and age.
I decided to create a Nabu Casa account yesterday to support the project, and committed to a 1-year subscription before even looking at all the features offered after I logged in.
I was very surprised to see that the authentication settings didn’t offer MFA.
Wondering how this could be prioritized…
just signed up for the 1 month nabu casa trial - was extremely surprised there wasn’t an option for mfa. decided to search, as i was sure it existed and i was simply overlooking it… even more disappointed to find a 3+ year old ignored feature request for it.
it was already nabu casa vs cloudflare tunnel for me. i was leaning towards nabu casa simply to support the developers, but not sure i feel comfortable with my nabu casa cloud account missing this.
In the UK, MFA on all web-facing services is a mandatory requirement for suppliers to government, NHS etc. as it is a requirement of the government backed Cyber Essentials certification. I know HA might be meant more for home users, but if a business is using it, and it doesn’t have MFA, you cannot supply government or many large businesses!
How is this still not implemented? It has been supported in HA itself for quite some time.
Now that backups are also stored inside the account it is really important to have MFA support, TOTP preferred so you can set whichever app you want to use for it.
I fully agree. I started this thread years ago and never got a single response from the maintainers with at least an argument why they not implement a robust authentication.
I mean they argue with HA and privacy from the very beginning, but security doesn’t really seem to be a matter. At least not when it comes to their very own cloud service.
However, I helped myself with a cloudflare tunnel and am happy with it.
Well, they just told that they’re working on it, that its nearly ready and they still don’t want to give any promises. Then they elaborated a lot about encrypted backups. Without mentioning any details e.g. which algorithm is used to verify they’re on the right track, see the australian ban of different kryptographic algorithms.
They gave not even details about their MFA implementation, so no information about if it is phishing resistant or not. Anyway, I’m sure there’s some self confident developer in the HA team that will create some sort of standard TOTP/HOTP solution which will be accepted by the most of the users.