Is there an plans on setting up 2FA (Two Factor Auth) for any remote connections?
When a new user loggs in to the portal , I would like to be notified someway or 2fa.
thank you
1 Like
Yes, this is on our radar.
10 Likes
Authenticator or Yubistick would be nice. Though I imagine a bit overkill.
3 Likes
Yeah, it will be Authenticator (or equivalent) when it comes.
9 Likes
Hi Gopher--any update on 2FA? I would have a lot more I would do with Hubitat if it were part of logging into the device.
1 Like
Not yet.
This is a great feature to add. Looking forward to getting to enable this for my hub when it is finished.
1 Like
Hello All, Just following up to see how this is coming along. Also wanted to second the request for Yubikey support.
Really looking for this, since you can unlock my doors, it would be nice to have some security.
Hi Hubitat. Just curious on whether we have any progress on MFA at this point. I would really like to have this in place. Just attended a conference for my legal practice and they had a presentation on what we can expect from Hackers 3.0. Scary stuff. Such hackers would seem to be a significant threat to the whole Hubitat system. Any progress on this?
1 Like
I'm not sure what hackers could do to the whole hubitat system. It's not really a gateway into your network. And lets face it, if I'm close enough to be sniffing your z-wave/zigbee network I'm close enough not to need to sniff it as I can see your house and know what lights are on and off. If I want in your house, I'm gonna grab that brick that you left in a pile out back and smash a window in... Now if someone gets on your local network, they can get to your hubitat but they aren't going to care. They're gonna look for attached pc's on your network. Now you shouldn't have any shares or what not turned on in your pc if you have sensitive legal documents on your system (I do a lot of work for various lawfirms) and your hard drive should be encrypted and you should be using something like crowdstrike on your laptop/pc. But I guess if they could get on your local lan, get to hubitat, start flashing lights to make your family complain and while you're investigating it, smash the window in your home office/den with that brick you left in the back yard and grab your laptop and run then try to get into your hopefully encrypted hard drive...
I'm just saying there really isn't a huge attack vector for hubitat to be used as a gateway...
Pretty sure we are all wanting it for the remote access when logging into the account side from the WWW... It gives full access to your hub and potentially access to the entire network.
2 Likes
All methods of 2FA/MFA have their pros and cons. One of the easiest and cheapest methods for Hubitat to implement would be an authentication token and use an app like Authy or one of the other token apps. That would alleviate the need for SMS services to send out 2FA codes, etc. One problem that I have found with the token method is that the correct time is of utmost importance since token authentication relies on the time to be sync'ed with the token generator and the token user. I experienced problems with this a couple of year ago after a hurricane left us in the dark for 3 weeks and even though I had generator power, I had no internet to sync the time with NIST. The time on the device had "drifted" slightly and then token would not match. I had to "jury rig" a wireless internet connection to the device just so it would sync the time and work with the authenticator.
I vote for a Time-Based One-Time Password (TOTP).
just checking if this is still on the Radar, its been some time and I am a little concerned these days.. I have a VPN for my stuff but the Geo locations and the app itself are not locked via 2fa
Bump on this topic. I certainly wouldn't mind having OTP/Authenticator/2FA of some sort for remote access. 
1 Like
