MFA via Notify One-Time Password

Hi all,

I was reviewing the doc on MFA and it talks about the NOTIFY MULTI-FACTOR AUTHENTICATION MODULE.

I don’t know if this is a dumb question but… is it possible to use native HA mobile app notifications for this? I know this may sound silly since I’m asking about using the app that could potentially be needing to be authenticated for an authentication request but: I think this makes sense in cases where you have multiple devices.

I verified that I have the mobile app notification working: I made a button that triggers a test message using the notification service (notify.mobile_app_pixel_5 in my case) and that does work.

But when I try to enable the Notify One-Time Password, it tells me " No notification services available.".

If this is something that’s not supposed to work: does anyone have any suggestions for notification integrations that would let you do this securely?

Note: I do already have totp (Authenticator app) set up and that is working but this sounds like it would be easier.


I wouldn’t recommend doing that. A TOTP PIN that is being transferred can also be intercepted. At least when being paranoid about security. Hence it’s safer to only have the secret stored within your authenticator(s).

According to the support article, the Notify MFA method uses HMAC-based one-time password (HOTP) and HMAC looks to offer a level of security higher than just sending the PIN in cleartext via SMS or something like that.

Having said that, documentation on setting up the HOTP mechanism is pretty spare so I may have to wait on that. It looks like the code for it is here but it’s a bit over my head.

Well, I have to admit to have never used that feature. But the way I read it, the required PIN will just be sent out using an existing notification platform (in plaintext). It’s the responsibility of the notification platform to encrypt the data during transit.

So if f. ex. the PIN is 123456 and you have set it to use an E-Mail notifier, then it will send 123456 within an E-Mail. Nothing more.

I agree, that the typical user wouldn’t have to worry about this. I just wanted to point out a security concern. Apart from that, this also obviously only will work if the notifier is functional. Hence my personal opinion is, that it makes much more sense to just use an authenticator application. That’s at least more reliable (unless you loose the device), and there’s zero chance of the PIN being intercepted during transmission.