Not even a week in from migrating from wink and I am pretty blown away by the speed, reliability, and complexity of this platform. I am concerned about security however. These days everything is protected by MFA. Any plans for hubitat to adopt MFA for both the cloud access and local devices?
I sure hope not.
I think mfa is a pain in the ass. 
1 Like
If it existed I would opt out. There is nothing on my Hub worth the effort. My security system is completely separate and my thermostats have built in temperature limits. And no Smart Doorlocks.
1 Like
mfa is cloud service. HE has some cloud requirements already, but I'm not a big fan of adding more cloud dependencies....
That said they could add this as an option for their cloud portals, but having it locally basically says login won't work if internet/cloud is not working....
3 Likes
I don’t see a need for it on my local network, however, it’s incorrect to say it’s a cloud dependency.
If you use time based tokens for authentication (like google Authenticator) that can all be done locally on device.
just for the record MFA does not have to have a cloud requirement
From a security standpoint this device has some serious deficit. No way to redirect to HTTPS. No support for user certs. Security though obscuirty with the alternate ports for diagnostics. Using a user name and password is not the default. I understand the idea that is is a local network device. But I also understand that threats can exist on a local network.
1 Like
I agree that 2FA is a PITA, though I'm willing to deal with it for accounts/services that exist primarily or entirely in the cloud for the times that I need to login from an unrecognized device (not all that frequent for most accounts).
However I would not use it for my HE hub, and would prefer to see them spend their limited development resources on other features.
1 Like
I understand the points about the cloud services. I do think it would make sense to implement MFA for the cloud accounts. And i do not think it is too crazy to implement a MFA code that works on the local device, it doesn't need to be cloud connected. they can use rotating MFA code that is authenticated against the local device only.
HTTPS, unfortunately, really wasn't designed to play nice with local devices because a cert needs to be issued to a domain, not an IP. So you end up using self-signed certs. Which means your browser warns you that it's unsafe and you have to click "allow anyway" which means if your LAN is already infiltrated, you can't tell the difference between my self-signed cert that is "real" and one from an MITM attack. I've never liked HTTPS within the LAN for this reason.
As a note, even PCI compliance used to secure credit card data does not require encryption within an LAN. It's unfortunately industry standard that almost all LAN traffic is NOT encrypted.
4 Likes
MFA, especially with texting incurs cost for the vendor. This is part of why the HE team no longer offers built-in SMS (same with SmartThings). So adding text based MFA readds that cost to the team. So I'd phrase it this way, would you pay a monthly fee to have this? My gut is most people (even people who won't use MFA) would say "my God you're charging people to have security???"
2 Likes
While this is be true about PCI, almost every network device i have seen made in the last 5 years with http has some support for https redirect and a way to upload your own cert. Using internal DNS and a CA or public CA you don't get the warning. And addtionally when you add an exception to a site within a browser it is limmited to that cert/site. Meaning you would have to have a MITM attack from day one to not notice.
As to comments about cost. MFA can be achieved without texting of email. The TOPT standard in use by almsot every authenticator app (Google, microsoft, aught, yubikey) is an opensource standard that uses a shared seed and the time to create a One time use password.
I don't mean this sarcastically, I'm impressed if that's true for you. Almost none of my LAN devices support HTTPS (HE, Bond, Logitech Harmony, Kohler DTV+, Denon HEOS, Denon AVR, Lutron Caseta - all HTTP only [or unencrypted Telnet]), except maybe Hue (unsure), and AlarmDecoder. I think my only device that does is my router. Once you're getting to the point of asking people to setup an at-home CA, you're in a super small portion of the market who cares to do that.
You're correct, but for better or worse, those are used by an extreme minority of users. When people (average home owners) hear MFA and token apps, they don't even know what that is, they know 2FA which traditionally means texting. Using TOPT, my gut says, wouldn't be widely used, so does it make sense to devote scarce development resources to it? My vote as an HE customer would be no. But of course it's their call! Just my 2 cents on the matter. Because I'm security minded I just chose not to expose my dashboards remotely. MFA to get to a dashboard would be too cumbersome and I'd probably never use cloud dashboards then.
1 Like
I just want to ask ... people are port forwarding to get to their hubs, which opens a larger hole and we're concerned about mfa? What really is there to change if you keep you hub behind your network? I guess I might be missing the boat here because the app is really only a dashboard. Someone please explain this to me. I'm truly curious.
There is a large push across the IT industry to eliminate unsecured communication across many network devices. Including those designed specifically for LAN only. I will admit that many of my devices are probably on the Pro-sumer grade and maybe that is why they all have some ability to work with HTTPS.
TOPT would most likely be the same standard in use whether it sending text or using some authentication app. While I am not pushing for this to be done to the local device. I will say that Google and Microsoft authenticator apps have a combined +60 Million downloads in Google play. I am sure even more in the App Store. So I dont think it would be worthless.
I am not advocating that they spend time on MFA, But I think in general having a more security focused approach in general is a good idea. HTTPS is the first step, along with strong passwords.
MFA probably isn't necessary for most people. but I feel that HTTPS even with a self cert, and an option to redirect is applicable to every threat model. A good password is meaning less without some form of encryption.
I don't want to turn this into a larger debate. but I will probably pop up on many security threads because that is part of what I do for a living.
April,
The concern with HTTPS or MFA is that one a bad actor is in your network they first thing that they are going to do is look for internal vunerabilities to gain further and greater access.
The stance from HE has been to not expose it externally and you will be ok. Basically saying I built a fence around my property so there is no need for a lock on the door because the fence will keep people out. While this risk is lower with a smaller number of educated users. The more they grow the more likely they are to become a target.
EDIT: I am in no way upset with HE or the staff, security is something I can be a sqeaky wheel about! I do really love the product
1 Like
Didn't take it that way. I was just truly curious and wanted to hear all sides. Thank you for replying.
That edit wasn't for you April, 
but for anyone else reading through this trying to make a decision to buy!
I am very hopeful for many new features and improved security coming from the HE team!
1 Like
Yah but I also didn't want to sound like I'm arguing either. 
1 Like
Not that anyone here said otherwise, but just so people reading along don't get the wrong impression, when you access the dashboards via the cloud, or anything in HE via the cloud, it is HTTPS. The discussion here is only when it's on LAN it is HTTP.
