Why can’t I pair the HomeAssistant Companion by scanning the QR code? This solution will allow you to quickly authorize the application in the HA system and will allow you to instantly log in to a person’s account in the HomeAssistant Companion application.
I see the solution in the main outline as follows:
The HomeAssistant Companion application is extended with a QR code scanner (a QR code scanner to authorize a given person’s account).
In the settings of individual people, a QR code is available, which must be scanned with the scanner built into the HomeAssistant Companion application.
We download the HomeAssistant Companion application, run the QR code scanner, use it to scan the QR code displayed on the person’s settings page (e.g. the main administrator (and ready, we are logged in to the application. There is no need to enter our HomeAssistant address in the application, we do not have to enter the login and password) , one scan of the QR code and it’s ready.
You can read the development of the above suggestion in my post at the link below:
Cool idea. It also has a security benefit: Nobody can hijack the URL. (Assuming no malware in the computer that shows the QR code, no malware in the screen etc.)
Pairing devices using QR codes has been a common practice recently. Microsoft is also taking advantage of this. We pair the smartphone with the “Your phone / Link with the phone” application in MS Windows with a QR code.
In the case of the HomeAssistant system, for an additional layer of security, after scanning the QR code with the HAC application on your smartphone, you can display an additional pairing confirmation window “Smartphone Samsung Jan wants to log in to your HomeAssistant account. Do you agree to this?”.
Oh, this is a good idea. Something I never knew I wanted. It should imbed the local & external URLs into the QRCode too. I don’t want to type that stuff all the time.
Home Assistant broadcasts both the internal and external URLS (and other stuff) via mDNS.
The companion app should really just default to using the URL data it can already see on the local network.
The functionality of pairing HA with HAC thanks to QR codes, smoothly moves to the next possibility, functionality (described under the link below in my post).
There is a bit of irony in that there is already a feature where you can scan QR codes from within the companion for adding Z-Wave Plus devices, but the companion does not actually contain a QR code scanner. Instead that functionality actually lives in the front-end web UI. Since the web UI is not available at the time you would be scanning here, an additional QR code scanning system would be needed.
QR code based setup is not even a new idea. I see some references to possibly using that for App setup from about 5 years ago.
Doesn’t this assume that everybody is on the network local to the home assistant instance during this process? I don’t think that we should rely on that.
I would however always advise that no-one should ever be providing a QR code that can be used by anyone to login to a system externally. That’s a massive security issue.
But a QR code to login a guest to a user that is configured to only allow login on the local network, makes sense.
I agree with @mobile.andrew.jones. Yes, for security reasons, logging in with the QR code should be possible only in the LAN network of the HomeAssistant system.
QR code would just be an easier way of auto typing in a username & password… There is NO additional security risk. It doesn’t need to be overly complicated.
At the login screen just have a “login with QR code”, scan it and it just auto fills username & password. Helps with obnoxiously long passwords.
Not necessary, the QR code is just a more convenient way of transferring the login details to the app. It does not create a new security risk. Login+password are not safer shared in plain text.
A QR code promotes the use of long and difficult passwords, so it benefits safety.
Best solution: The QR code is a one-time token. The app uses that token to retrieve a long time or permanent working token.
The code is used by the app and it can only be used once.
To be honest, I think it’s an acceptable risk. If you have a QR code with limited validity period (after 5 minutes QR becomes useless), then be it internal or external URL, accessible or not, the risk will be managed well enough in my opinion.
We have enterprise applications already using this out in the wild.
Having the assumption that a QR code is only valid for a limited time, and upon pairing a confirmation is required on the UI (similar to HomeKit).
With the above assumptions, in my opinion, if someone can sit at my screen for 5 minutes and gain access after there’s still a prompt on Home Assistant’s GUI to confirm the pairing, then I’ve got bigger problems in my life to be dealt with than having my external URL open.
There is no reason to treat QR codes different from username/password.
They’re just credentials.
Suddenly when it’s a QR code everyone gets all giddy, as if secret passwords magically beam through walls in all directions.
They are not special. They are just a string of characters but it uses a black-and-white pattern that your phone can read.
Nextcloud uses these for pairing devices much safer than Home Assistant does by not having this.
Nextcloud creates a unique single-use token for every device you pair.
Force people to type their password on their mobile phone, they will choose and re-use short passwords.
Give them a QR code and you can
generate a unique code for every device
generate long secure codes
be much more convenient too.
Yes, it is possible to have something more convenient that is actualy more safe.
Don’t mistake convenience with danger. Don’t be triggered to apply random restrictions to make it ‘feel’ safer again.
Inconvenience is not safety.
