If your instance of HA is accessible via the internet (remote access, HA app on your phone), then a strong password in conjunction with MFA is a must for most services in order to protect your account.
What if you lose access to your MFA token or forget the password?
Recently I’ve added 2 MFA tokens to my MFA app but during the setup process I had an incoming call which stopped the completion of the enrolment process, this inadvertently overwrote the existing MFA token for my own HA instance.
I cannot turn MFA off in order to get back into my HA.
While there are some guides out there that apparently let you reset the authentication process, they don’t always work.
It should also not be assumed that everyone can/is willing to start hacking around in the back end of their system in order to reset something which should be capable via the frontend.
There should be a mechanism in place which can enable you to reset/temporarily turn off MFA in order to access your own account.
Basic setup of HA:
- Setup HA
- Created strong password
- Enabled MFA
- Enabled external access to HA
Situation:
Phone gets lost/stolen, no access to MFA token.
Cannot login to HA.
Solutions:
Solution 1:
Offer Gmail integration as a required part of MFA setup so that:
- HA can use alternative method to send MFA token. E.G via email.
- If MFA token gets lost/out of sync, MFA reset can be performed via email token.
- If password for any account is lost/forgotten, send password reset via email.
Solution 2:
If you’re running HA in a VM/docker, access the terminal and enable SSH (if addon is installed)
Once enabled, access HA via SSH and turn off MFA.
Solution 3:
A feature where you can add Trusted Devices to HA so that if MFA/password is lost, there is still a ‘last case scenario’ recovery option.
Maybe a public/private certificate that can be used for authentication via SSH in order to authenticate the owner/user. This technology is used in AWS and other such services for instance.