Good Afternoon Automators,
I have this Idea rolling around in my head and I need your help; mainly because 1. I haven’t actually configured anything for it, because 2. Im not currently home to do it, 3 I don’t know to perform all the required functions and 4. Everybody’s hardware is different and a single-built solution won’t work for everybody.
Say you have a secret laboratory and need to change your minion’s PINs everyday or need somebody to let your dogs out while on vacation:
They send an email to HASS with the subject: “PIN Request” and [password] in the body.
HASS validates the password and verifies the sender is in the appropriate whitelist (multiple whitelists for validation windows (2 hour, 4 hour, 8 hour, 24 hour etc.)
HASS generates a random 4 digit integer
HASS sets the random 4 digit integer as the code to the front door
HASS emails the sender the PIN and its validatation window (per whitelist (say they are authorized to arrive within a 2 hour window))
HASS emails me that sender has requested a PIN and the time frame for validation (whether or not it was authorized)
HASS waits the appropriate amount of time based on the whitelist parameter (2 hours, 4 hours, etc.) and deletes the code from the door
HASS locks the door
Hardware:
Kwikset 912 Zwave door lock
ISY-994i with Zwave (Zwave Controller)
Additional Parameters:
HASS disarms the alarm (somehow based on the door code given maybe?)
Alexa Announces the whitelist window every 30 minutes (set a timer for 2 hours) to help enforce the idea of leaving in a timely fashion
Questions:
Can HASS receive emails? (I have mailgun for sending but I’ve never set it to do things based on information received)
Is this something that is doable or of any interest?
Concerns:
This ONLY is intended to allow entry within a specific time frame and does not enforce their hasty exit upon the expiry of the whitelist window; it’s not meant to. There are other functions that can notify me that a visitor has overstayed their welcome.
Great idea that sounds a little similar to concept postal service and some private carriers try to do here in france where postman or authorised delivery guys could drop package inside your home/flat while away
Pretty comfortable, but my google-fu is much stronger lol. You’re right though I was thinking that with the expansion of Python in HA that would be the way to go for sure. Can AppDaemon interact with Mailgun and the ISY (or any other ) zwave controller?
AD is more or less a Python programming shell with links to HA (VERY VERY 10,000 ft view) so you should be able to call or make calls to any other API from it.
This sounds like a very complex work flow to me. A much simpler and robust solution would be rolling codes using for instance Google Authenticator. It’s based on open standards so you are not dependent on external servers or even an internet connection when generating the codes. There are python libraries for code verification if you would want to integrate it with HA somehow.
First, unless you are using S/MIME or something to sign email messages, I wouldn’t depend on the authenticity of an inbound email; they are trivially spoofed. Likewise, conveying a password used more than once in an email message would also seem to be unwise.
@postlund, I don’t think rolling codes (TOTP) like what Google Authenticator uses would work directly for this use-case. The usual case with those style codes is that they are only useful over a very small window of time (say, 2 minutes) and I don’t think you want to continuously reprogram user codes in the lock to make this work.
However, having a keypad that can simply capture digits, and then having HASS tell the lock to open is a whole different matter. That actually would work quite well. It might also be interesting to have a similar application with a camera that could scan a dynamically generated QR code as a means of providing a time-dependent, constantly changing authenticator. Regardless of how the changing secret is conveyed, the user it is associated with might only be allowed a single access.
Yes, I made the assumption that the lock would verify code with HA somehow. Re-programming the lock with a new code often sounds like a disaster bound to happen to me. I also assume that access control (when and who can access) is moved to HA instead of the lock. It would make things easier.
The Kwikset 912 Zwave door locks have several codes available, and the ISY has the ability to add/remove/edit codes. You were right on most counts the lock is “dumb” in the sense that it doesn’t validate information based on criteria, it simply accepts or rejects a code. HASS in this scenario, would validate authenticity and produce a code for the lock and add that code to the lock.
As for the email spoofing, I’m 1. not a HUGE target as Im just a guy playing around with an idea, 2. how many people know the email address to send a request to? Would they know the password as well? Do they know where I live? How would they get around a whitelist behind an SSL and hardware firewall? I’d be interested in seeing how this works as a SysAdmin, it fascinates me!
The Kwikset Zwave door locks cannot DELETE codes (that only took me 2 hours to figure out).
In order to delete a user code, you must override the code by adding a different user code in the same position. For example, if you want to delete the third code, add a different user code in position three.
I really loved this idea, the challenge I had was that my housekeep (who would need the pin) isn’t very “tech savvy”, so I had to come up with something more creative. So, what I did was on the day he comes he comes, it will send him a code, at the end of the day it will “reset” the code to something else. If anyone wants to see it, here’s my configs:
Neat!
While I recognize the official documentation for the kwikset door lock specifically mentions that you cannot delete codes, the Universal Devices (with Zwave) controller absolutely can set delete and manage schedules for all 30 users.
I will try to see if I can generate the application as I described while toying around with the one you so generously provided. Thanks for the insight!!
Since I’ve been home after deployment I’ve secured everything pretty well with SSL certificates and I am pleased with the result so far