+1 to this. All 3 of the main avenues of increased security mentioned here are important:
- 2FA/passkeys (vital to good security)
- Support for Cloudflare Zero Trust or other upstream authenticated proxies from the iOS app
- Oauth-based SSO, including local providers like Keycloak or SaaS providers like Auth0/Okta
A 0day in HA code would mean that every HA install in the world that’s exposed to the internet would be vulnerable to any number of nasties, including ransomeware, home invasion for people local to the install, stalking/doxxing when the attacker gets access to location data, etc etc. HA has a pretty good security record so far but it’s not the main focus of the devs, and offloading security to the security experts is a very good practice.