c464056402
* 🔥 Removes octopress.js * 🔥 Removes use of root_url var * 🔥 Removes Octopress generator reference from feed * 🔥 Removes delicious support * 🔥 Removes support for Pinboard * 🔥 Removes support for Disqus * 🔥 Removes support for Google Plus * ↩️ Migrate custom after_footer to default template * ↩️ Migrate custom footer to default template * ↩️ Migrate custom header to default template * 🔥 Removes unused template files * 🚀 Places time to read directly in post template * 🚀 Removes unneeded capture from archive_post.html template * 🔥 🚀 Removes unused, but heaving sorting call in component page * 🚀 Merged javascripts into a single file * 🔥 Removes more uses of root_url * 🚀 Removal of unneeded captures from head * 🔥 🚀 Removal of expensive liquid HTML compressor * 🔥 Removes unneeded templates * 🚀 Replaces kramdown with GitHub's CommonMark 🚀 * 💄 Adds Prism code syntax highlighting * ✨ Adds support for redirect in Netlify * ↩️ 🔥 Let Netlify handle all developer doc redirects * ✏️ Fixes typo in redirects file: Netify -> Netlify * 🔥 Removes unused .themes folder * 🔥 Removes unused aside.html template * 🔥 Removes Disqus config leftover * 🔥 Removes rouge highlighter config * 🔥 Removes Octopress 🎉 * 💄 Adjust code block font size and adds soft wraps * 💄 Adds styling for inline code blocks * 💄 Improve styling of note/warning/info boxes + div support * 🔨 Rewrites all note/warning/info boxes
4.9 KiB
| title | description | redirect_from |
|---|---|---|
| Multi-factor authentication | Guide on configuring different multi-factor authentication modules. | /components/auth/ |
The Multi-factor Authentication (MFA) modules require you to solve a second challenge after you provide your password.
A password can be compromised in a number of ways, for example, it can be guessed if it is a simple password. MFA provides a second level of defense by requiring:
- something you know, like your username and password, and
- something you have, like a one-time password sent to your phone.
You can use MFA with any of the other authentication providers. If more than one MFA module is enabled, you can choose one when you log in.
You can turn MFA on and off in the profile page for your user account.
Available MFA modules
Time-based One-Time Password MFA module
Time-based One-Time Password (TOTP) is widely adopted in modern authentication systems.
Home Assistant generates a secret key which is synchronized with an app on your phone. Every thirty seconds or so the phone app generates a random six digit number. Because Home Assistant knows the secret key, it knows which number will be generated. If you enter the correct digits, then you're in.
Setting up TOTP
Enable TOTP in your configuration.yaml like this:
homeassistant:
auth_mfa_modules:
- type: totp
If no auth_mfa_modules config section is defined in configuration.yaml a TOTP module named "Authenticator app" will be autoloaded.
You will need an authenticator app on your phone. We recommend either Google Authenticator or Authy. Both are available for iOS or Android.
After restarting Home Assistant, go to your profile page and there should be a "Multi-factor Authentication Modules" section.
Click Enable and a new secret key will be generated. Go to your phone app and enter the key, either by scanning the QR code or typing in the key below the QR code manually.
Your phone app will now start generating a different six-digit code every thirty seconds or so. Enter one of these into Home Assistant under the QR code where it asks for a Code. Home Assistant and your phone app are now in sync and you can now use the code displayed in the app to log in.
Using TOTP
Once TOTP is enabled, Home Assistant requires the latest code from your phone app before you can log in.
TOTP is time based so it relies on your Home Assistant clock being accurate. If the verification keeps failing, make sure the clock on Home Assistant is correct.
Notify multi-factor authentication module
The Notify MFA module uses the notify component to send you an HMAC-based One-Time Password. It is typically sent to your phone, but can be sent to any destination supported by a notify service. You use this password to log in.
Setting up TOTP
Add Notify MFA to your configuration.yaml file like this:
homeassistant:
auth_mfa_modules:
- type: notify
include:
- notify_entity
{% configuration %} exclude: description: The list of notifying service entities you want to exclude. required: false type: list include: description: The list of notifying service entities you want to include. required: false type: list message: description: The message template. required: false type: template {% endconfiguration %}
# Example configuration, with a message template.
homeassistant:
auth_mfa_modules:
- type: totp
name: Authenticator app
- type: notify
message: 'I almost forget, to get into my clubhouse, you need to say {}'
After restarting Home Assistant, go to your profile page and there should be a "Multi-factor Authentication Modules" section. Click Enable on the Notify One-Time Password option.
Try logging out, then logging in again. You will be asked for the six-digit one-time password that was sent to your notify service. Enter the password to log in.
If the validation failed, a new one-time password will be sent again.
The Notify MFA module can't tell if the one-time password was delivered successfully. If you don't get the notification, you won't be able to log in.
You can disable the Notify MFA module by editing or removing the file [your_config_dir]/.storage/auth_module.notify.