not a feature request for HA but for Nabucasa Cloud account administration.
Nowadays there shouldn’t exist publicly accessible services only secured by username/password but with MFA. Still, our Nabucase Cloud account admininistration is lacking MFA. Even thought I have access to:
Please, please, DO implement MFA. It scares me every time I login to this thing and am not asked for a 2FA authentication. Literally anyone in the world could login to my system, if they’re able to get hold of my password.
I was surprised there was not even TOTP as a possible option for 2FA. Please do implement this as soon as possible; I feel rather insecure using this service otherwise
This is exactly the reason why I now canceled my subscription (Even though I really would like to support Home Assistant).
I posted this discussion for over 2 years ago, still nothing happened. This is far too risky.
Agreed. I really love HA and Nabu Casa. But am seriously considering cancelling my subscription, because it’s such an egregious security vulnerability to expose my system to the entire world with simply a user ID and password. That’s really unacceptable in this day and age.
I decided to create a Nabu Casa account yesterday to support the project, and committed to a 1-year subscription before even looking at all the features offered after I logged in.
I was very surprised to see that the authentication settings didn’t offer MFA.
Wondering how this could be prioritized…
just signed up for the 1 month nabu casa trial - was extremely surprised there wasn’t an option for mfa. decided to search, as i was sure it existed and i was simply overlooking it… even more disappointed to find a 3+ year old ignored feature request for it.
it was already nabu casa vs cloudflare tunnel for me. i was leaning towards nabu casa simply to support the developers, but not sure i feel comfortable with my nabu casa cloud account missing this.
In the UK, MFA on all web-facing services is a mandatory requirement for suppliers to government, NHS etc. as it is a requirement of the government backed Cyber Essentials certification. I know HA might be meant more for home users, but if a business is using it, and it doesn’t have MFA, you cannot supply government or many large businesses!