Should actionable notifications work away from home?

I have some actionable notifications set up, which work perfectly when I am home. When I leave home, I receive the iOS push alert but the action I select does not seem to fire. Is this because I do not use Home Assistant Cloud?

No, they should work fine even outside the house. Though if your Home Assistant is not reachable outside of your network this will also not work. For this to work your HA must be accessible from outside your network. Basically what this means is that you must have a port opened on your router. Alternatively you can use the nabu casa cloud.

AH, that makes sense. So I need to set up port forwarding to whatever port HA is using, correct? Would doing this expose me to any risk?

Do I need to set up Duck DNS (per https://www.home-assistant.io/docs/configuration/remote)? Or is it enough just to forward the port?

If you just expose the port, anyone hitting your home address will find your open port (not good)
You need to enable ssl which requires that the link is encrypted.

Have a look at setting up duckdns, this will keep track of your home address, allow it the be accessed from a memorable name and will deal with the encryption

Read : -

To be clear, setting up ssl and or duckdns will not provide change what a port scan reports about your open ports.

Duckdns just gives you an easy address to remember rather than trying to remember an ip. It’s easier for a human to remember https://fakelink.duckdns.org:8123 rather than https://153.31.100.37:8123 Duckdns also has a service to update your duckdns address whenever your IP is updated as most residential customers don’t get a fixed IP and it will occasionally change.

The SSL encryption just encrypts the traffic between HA and whoever is accessing HA. This way any sensitive information used during the communication cannot be viewed by anyone else.

True, but with the ssl set up you will only be able to connect with the appropriate certificates (as generated by the letsencrypt components installed with/by duckdns) , you can also enable two factor authentication to further reduce the chances of anyone gaining access to your HA instance

Anyone in the world can still connect. Adding SSL doesn’t prevent this.

This is strongly recommended if your instance is open to the world.

Thank you @Mutt and @silvrr! I guess I will need to look into Duck DNS and two factor authentication. I appreciate your help!

If you already own a domain name you could use that instead of duckdns. But basically everyone is right. Opening a port will expose your instance to the internet. Exposing a port to the internet will always be a risk (though using upnp, which is enabled by default on many routers is just as much risk). I would honestly not think too much about it and just make sure your instance is at least password protected, running over https and preferably run 2FA if you can.

If you really don’t want to expose a port yourself you can either get nabu casa or use a vpn (by vpn I mean a self hosted vpn and not a service like nordvpn or tunnelbear). A lightweight vpn that is called wireguard could be used for that (which doesn’t take a real hit on your battery like for example openvpn does). With wireguard you could make it that it will activate whenever you leave your wifi network and thus not only making sure your HA port isn’t open, but will also secure all your other traffic you use on your phone. Though this is a scenario that won’t fit most people (which includes myself as I only use vpn when I have to).

It is really up to you on how you want to do it, there are tons of ways to secure your network. Something many people use which will make your setup a bit more secure is a reverse proxy.

Thank @Mutt @silvrr and @jimz011 for your help. But I think I still need some assistance! I tried setting up MFA tonight, but I suspect I am doing something wrong.

I followed these steps: https://www.home-assistant.io/docs/authentication/multi-factor-auth/

So, I now have auth_mfa_modules in my config:

homeassistant:
  name: Home
  latitude: xx.xxxxxxx
  longitude: -xx.xxxxxx
  elevation: 0
  unit_system: imperial
  time_zone: America/New_York
  auth_mfa_modules:
    - type: totp

And I enabled MFA on my profile page in LoveLace:
image

I have restarted HA since making these changes. So then I opened a browser on another computer and logged in, and it let me right in without the second part of the two-factor authentication. And interestingly, when I look at my profile screen on the second computer, it does not show MFA as enabled. Am I doing something wrong here?

Ahh ! you replied to the thread, we don’t get notifications when you do that.
So you tagged, that’s okay though too.

The mfa works per account so did you log in on the second device using a different user ?

Nope, same account. I only have one login that I use. Weird, eh?

Hm, I have setup 2fa through the interface. I also did not add any lines to configuration.yaml for 2fa.

It would only be required if you have an old config for home assistant. I usually start fresh and omit settings like location as this can be done in the ui, which also does not require a restart and is great for when you have an RV (also copying your config to the forums will save you some personal details as location is then no longer stored in configuration.yaml).

I do this because a lot of the home assistant configuration (and most notably the default configuration) has changed significantly. It is difficult to keep up with the changes sometimes, but a fresh start always saved me from stupid errors or stupid config that can be easily set in the ui. Use integrations wherever you can. Prefer autodiscovery of mqtt over hardcoding and so on.

Though just to answer your question, have you tried clearing your cache? Or even better, try an incognito browser window.

Nor did I (just saying I agree)

Thanks @jimz011 and @Mutt! I got it to work tonight. I set up MFA (again!) using the HA app on my iPad, rather than Chrome on my Mac. This time it worked. Not sure why it would be any different, but I am happy it is up and running. I also removed the YAML config. I haven’t tested my actionable notifications yet, but I suspect it will work remotely now. Thanks again for all of your help, gentlemen!