Nabu Casa Alexa secure entities

My emulated hue bridge was playing up, so I decided to try out Nabu Casa for integration with Alexa voice control. All up and running with voice control of varoius switches/lights in a few minutes - great!

I can see from the docs that I can enable control of my alarm panel etc. Looking at the google home docs, I can set a secure pin that has to be provided to arm/disarm the alarm or to open things like garage doors. There is no equivalent information in the alexa docs. If I enable things like the alarm panel and garage door covers in the alexa integration, does this mean that they will be unsecured?

Not sure if this is how it works in general but for my setup the garage door is exposed as a door but needs to be turned on like a switch. I tell my garage door to turn on and it opens; no pin has been set.

Hmmm…thought as much. Not sure I want to expose things like covers/locks/alarms without any security.

In the google assistant docs:

Secure Devices

A secure device cannot be opened by Google Assistant unless a secure_devices_pin is set up. The following domains cover secure devices: lock , alarm_control_panel and covers with device types garage and door .

To allow opening, set the secure_devices_pin to something and you will be prompted to verbally provide this when opening the device. Closing and locking these devices does not require a pin.

For the Alarm Control Panel if a code is set it must be the same as the secure_devices_pin . If code_arm_required is set to false the system will arm without prompting for the pin.

Not sure why the security settings are different for Alexa and Google?

(watching)
I’m looking to solve the same problem with Alexa and Nabu Casa

So I just had a little play with this.

Turns out that even if you add an alarm_control_panel entity or domain, it doesn’t appear in the Alexa app. They also don’t show in the Home Assistant Cloud config panel in the front end, so appears that they are not actually supported.

Covers work, but there is no security and you can’t determine status (open/close). To activate, you have to say “turn on the door” rather than “open the door”.

I think this is just an Alexa limitation because I noticed yesterday that you can make devices like “Covers” have 2 factor (request a pin code) with Google Assistant.

Configuration > Home Assistant Cloud > Google Assistant > Manage Entities > (look at your cover/s)

So we need this feature for Alexa as well.

SECURITY CONTROL PANEL

Introduced in release 0.101.0

Alexa will require a 4 digit voice personal identification number (PIN) for disarming. Configure a 4 digit PIN in the Alexa app, or use an existing 4 digit PIN code configured for the security_control_panel.

To use the exiting code configured for the security_control_panel the code must be 4 digits and the code_format attribute must be FORMAT_NUMBER. After discovery the Alexa app will offer the ability to use the existing code, or create an additional 4 digit PIN to use with Alexa. The existing code is never communicated to Alexa from Home Assistant. During disarming, Alexa will ask for a PIN. The PIN spoken to Alexa is relayed to Home Assistant and passed to the alarm_control_panel.alarm_disarm service. If the alarm_control_panel.alarm_disarm service fails for any reason, it is assumed the PIN was incorrect and reported to Alexa as an invalid PIN.

Alexa does not support arming with voice PIN at this time. Therefore if the security_control_panel requires a code for arming or the code_arm_required attribute is true the entity will not be exposed during discovery. Note that code_arm_required may default to true even if the integration does not support it. Use the Entity Customization Tool in the Home Assistant Configuration and override code_arm_required to false to expose your security_control_panel during discovery.

security_control_panel state must be disarmed before arming. Alexa does not support switching from one armed state to another without first disarming. e.g. switching from armed_away to armed_home.

The security_control_panel state armed_custom_bypass isn’t supported by Alexa and is treated as armed_home.

Security Panel Utterances

Alexa, arm my home in away mode.
Alexa, arm my home.
Alexa, disarm my home.
Alexa, is my home armed?

COVER

Introduced in release 0.104.0
In addition to using on/off utterances. Home Assistant configures covers with semantics that allow you to say “raise”, “lower”, “open”, and “close” for covers.

Open/Close Utterances

Alexa, open the blinds.
Alexa, close the curtain.
Alexa, lower the shades.
Alexa, raise the roof!

Covers with a device_class of garage will enable the Open by Voice option in the Alexa app.

Covers that SUPPORT_SET_POSITION can be controlled using percentages.

Set Cover Position Utterances

Alexa, set the shades to thirty percent.
Alexa, increase shades by ten percent.
Alexa, decrease shades by twenty percent.

Thanks for this. Following the config above, I can now see my alarm control panel in the Alexa app.

It might be useful if someone could add this info to the Nabu Casa docs: https://www.nabucasa.com/config/amazon_alexa/

Are there any plans to add 2FA/security to other devices for Alexa (e.g. covers, doors, locks)? This would be very useful as I can’t really expose these without any security - I have visions of someone shouting “Alexa, open the garage door” through my letterbox!

Locks already support pin codes by default. When you expose a lock to Alexa, in the Alexa app, you have to go into the lock properties and enable “Unlock by app” and “Unlock by voice”. Alexa will prompt you to set a pin when you enable “Unlock by voice”.

As for covers, as of 0.104, when you set a cover with device_class: garage_door, you have enable “Open by voice” in the Alexa app and you will be prompted to set a pin.

I haven’t seen anything regarding door security.

OK - I am being dumb here…

I am running 0.104.2. I have my gararge door cover exposed in the cloud config, with the display_categories attribute set to GARAGE_DOOR. The cover itself has a device_class: garage - garage_door is not a valid device class.

It appears fine in the Alexa app, but there are no security/pin settings?

My bad, it should be device_class: garage (usually set in customize.yaml). In the Alexa app, if you edit the device, you should have a switch for “Open by voice” there.

To be honest though, I agree with your initial assessment of not adding doors and locks to Alexa. Instead, I use input_booleans that get set upon door/lock actions. That way I still have the ability to query if a door, window or lock is closed and/or locked without having to expose a way to allow for someone to trigger a door or lock from outside of the house.

Interesting. Device class is correct, but no voice control option in the Alexa app. In fact, “Open” and “Close” commands don’t work - still only “On” and “Off”.

Screenshot_20200120-1812181080×2160 182 KB

Perhaps because my cover is a template_cover?

Very possible. How is your garage door integrated? Is it a MQTT type device or one of the standard integrations?

MQTT - essentially controlled by an ESP8266 running ESPhome.

It’s working for me!

image1242×2688 313 KB

Very strange. Do you have a “secure_devices” pin set or anything in your config?

in alexa or HA?

In HA - in the cloud config or your cover?

Just for comparison, here is the config for my cover:

cover:
  - platform: template
    covers:
      left_garage_door:
        device_class: garage
        friendly_name: "Left Garage Door Controller"
        value_template: "{{ is_state('binary_sensor.left_garage_door_sensor', 'on') }}"
        open_cover:
          - service: switch.turn_on
            data:
              entity_id: switch.left_garage_door_open_switch
        close_cover:
          - service: switch.turn_on
            data:
              entity_id: switch.left_garage_door_close_switch
        icon_template: >-
         {% if is_state('binary_sensor.left_garage_door_sensor', 'on') %}
            mdi:garage-open
          {% else %}
            mdi:garage
          {% endif %}
      right_garage_door:
        device_class: garage
        friendly_name: "Right Garage Door Controller"
        value_template: "{{ is_state('binary_sensor.right_garage_door_sensor', 'on') }}"
        open_cover:
          - service: switch.turn_on
            data:
              entity_id: switch.right_garage_door_open_switch
        close_cover:
          - service: switch.turn_on
            data:
              entity_id: switch.right_garage_door_close_switch
        icon_template: >-
          {% if is_state('binary_sensor.right_garage_door_sensor', 'on') %}
            mdi:garage-open
          {% else %}
            mdi:garage
          {% endif %}

and for the could component:

cloud:
  alexa:
    filter:
      include_entities:
        - switch.bedroom_light
        - group.bedside_lamps
        - light.rooflight
        - alarm_control_panel.alarm
        - cover.left_garage_door
        - cover.right_garage_door
    entity_config:
      switch.bedroom_light:
        name: "Bedroom Light"
        display_categories: LIGHT
      group.bedside_lamps:
        name: "Bedside Lamps"
        display_categories: LIGHT
      light.rooflight:
        name: "Kitchen rooflight"
        display_categories: LIGHT
      cover.right_garage_door:
        name: "Right garage door"
      cover.left_garage_door:
        name: "Left garage door"

@srk23

• Verify the device_class is actually garage in the Entity Customization Tool and override if needed.
• Verify the supported_features attribute is 1,2,3 or 11. Anything else won’t trigger the Open by Voice feature for garage. Based on your template it should be 3. Override the value in the Entity Customization Tool.
• Delete the device from Alexa and allow it to be re-discovered.

Also note that this feature may only work for supported locales. I can’t find specific documentation in the Alexa API docs on the supported locales for Open by Voice, but everything does work for en-US.