There was a discussion on this in the last 6-12 months which initially made me stop and think, but eventually the explanation for what is required to gain access made me more comfortable. Are you likely to have looked at this recent discussion?
Depends what you mean by getting into your account. I'm not an expert by any means, whether it be with how these things work more generally or Hubitat specifically.... But securing the local Web UI, which can be operated completely locally if you want, isolated from the Internet, along with the devices involved... To me, calling out to a cloud authenticator doesn't seem like a necessary setup. Some of the other cloud-based access, maybe, but even in the case of the App, the need for local inclusion like I mentioned seems like an even stronger model to me. Again I could be missing something and completely misrepresenting the situation... Just my observations...
Personally I don't include any security stuff in my setup (locks, garage doors, etc)... Nothing to do with Hubitat, just always felt a but uneasy myself having that part automated in a software-based system of any kind, aside from those provided by dedicated security companies (not that I have done that either).
I'm talking about accessing my hub remotely, via AWS. I can log in with my email and password, and can have remote access.
as far as local access, I am not worried about 2FA there, as it's secured on my network via a VLAN and other methods.
I believe as a use, we are responsible for our local network, some place that Hubitat is not obligate to assist with.
but remote access, even though I do have a complex password and I am pretty methodical about security on my phones and computer, if for some reason, lets say that HE's DB got compromised, even with my password, 2FA is that little step of security that I would appreciate having.
Humm, i guess I didn't see that, but doing local TOTP is a bit tougher, you have to be really good at keeping the clock in sync for that to work. something like that could lock you out forever really. short of a reset. full SSL encryption for local connections would work, but TOTP is a tough cookie to implement. Ask me how I know ..
Whatever is done, please make 2FA an opt-in setting, even for web UI access. Or at the very least, please ensure that after the first login the device can be remembered. Having someone hack my system then gain physical access to my property, where I live, is not a big worry. But I have shortcuts set up on ky phone screen that allow me to control things on various hubs several times per day, and don't want to lose that convenience. Thanks!