2FA for local hubitat Web UI Access

I've seen a couple of old closed topics for this and was wondering if anything has been done?

It would be nice to have something like TOTP. The older threads mention authenticator being on the radar for implementing.

if not what are people doing to secure the login?

Ubiquiti has just added 2FA to there controller software. But there is no "remember this device" option, so 2FA is required EVERY login. That is almost as annoying as not having 2FA security.

There was a discussion on this in the last 6-12 months which initially made me stop and think, but eventually the explanation for what is required to gain access made me more comfortable. Are you likely to have looked at this recent discussion?

I'm not understanding. what does ubiquity have to do with adding 2fa to the hubitat web UI?

Without 2FA any login prompt can be brute forced.

This is the discussion I was thinking of... You can skip to the solution and some of the comments afterwards to cut to what allayed some of my concerns ...

Basically, in terms of use of the app, the person / device needs to connect locally in order to gain access.

Yeah I dont think this would be that useful for the Web UI login. It would be good to have it for the web portal / forums login though.

1 Like

Im looking for 2FA on the web UI not the mobile app. I don't use the mobile app. I'll look at that thread you supplied.

Ah, so you mean when accessing the hub through a remote admin subscription? Or just the web UI generally?

just accessing the web ui locally.

Then yes, my comment about the app, though potentially interesting, not so relevant.

I second that.. I think I asked about a year ago, 2FA would be nice, "Save current session" would be helpful and most likely required.

I mean, if they did get into my account, they have access to HSM, my locks, etc. etc. It's scarey these days.

Depends what you mean by getting into your account. I'm not an expert by any means, whether it be with how these things work more generally or Hubitat specifically.... But securing the local Web UI, which can be operated completely locally if you want, isolated from the Internet, along with the devices involved... To me, calling out to a cloud authenticator doesn't seem like a necessary setup. Some of the other cloud-based access, maybe, but even in the case of the App, the need for local inclusion like I mentioned seems like an even stronger model to me. Again I could be missing something and completely misrepresenting the situation... Just my observations...

Personally I don't include any security stuff in my setup (locks, garage doors, etc)... Nothing to do with Hubitat, just always felt a but uneasy myself having that part automated in a software-based system of any kind, aside from those provided by dedicated security companies (not that I have done that either).

I'm talking about accessing my hub remotely, via AWS. I can log in with my email and password, and can have remote access.

as far as local access, I am not worried about 2FA there, as it's secured on my network via a VLAN and other methods.

I believe as a use, we are responsible for our local network, some place that Hubitat is not obligate to assist with.

but remote access, even though I do have a complex password and I am pretty methodical about security on my phones and computer, if for some reason, lets say that HE's DB got compromised, even with my password, 2FA is that little step of security that I would appreciate having.

No argument from me, any security improvements that can be made to remote access, if needed, make perfect sense to me. But the OP was asking about local web UI access.

Humm, i guess I didn't see that, but doing local TOTP is a bit tougher, you have to be really good at keeping the clock in sync for that to work. something like that could lock you out forever really. short of a reset. full SSL encryption for local connections would work, but TOTP is a tough cookie to implement. Ask me how I know .. :stuck_out_tongue:

I think it's time for dinner :smile:

True but this particular login prompt is only available to someone that’s already on your LAN.

If they’ve breached your local network, you’re already in a world of trouble regardless of whether or not Hubitat’s web UI is secured by 2FA.

I agree with this. These login prompts are accessible from the internet.


Whatever is done, please make 2FA an opt-in setting, even for web UI access. Or at the very least, please ensure that after the first login the device can be remembered. Having someone hack my system then gain physical access to my property, where I live, is not a big worry. But I have shortcuts set up on ky phone screen that allow me to control things on various hubs several times per day, and don't want to lose that convenience. Thanks!

I was using it as an example of sub-optimal 2FA implementation.