Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Google Assistant: Add 2FA to doors, locks #23219

Closed
balloob opened this issue Apr 18, 2019 · 8 comments · Fixed by #23223
Closed

Google Assistant: Add 2FA to doors, locks #23219

balloob opened this issue Apr 18, 2019 · 8 comments · Fixed by #23223
Labels
integration: google_assistant

Comments

@balloob
Copy link
Member

balloob commented Apr 18, 2019

Home Assistant release with the issue: 0.91
Last working Home Assistant release (if known): -
Component/platform: Google Assistant
Description of problem:
Request from Google: Anything that can be a security issue should have 2FA in front of it.

https://developers.google.com/actions/smarthome/two-factor-authentication

Two different 2FA formats: confirm and pin needed.

Devices we should protect:

  • cover with device_class DEVICE_CLASS_DOOR, DEVICE_CLASS_GARAGE
  • locks
@awarecan
Copy link
Contributor

Note: The ackNeeded challenge type is not recommended for security devices and traits.

So we have only one choice, pinNeeded

@awarecan
Copy link
Contributor

awarecan commented Apr 18, 2019
edited
Loading

We can integrated this with our current MFA module either TOTP or HOTP.

The workflow could be

  1. user request open a lock via GA
  2. HA received the intent, check if it needs 2FA, if yes, go 3), no go 7)
  3. if need, check if current user enabled MFA, if yes, go 4) or 5), if no go 6)
  4. if yes, if TOTP configured, e.g. use Google Authenticator, HA do nothing, return pinNeeded to GA
  5. if yes, if HOTP configured, HA send one time pass code to configured notify platform, return pinNeeded to GA
  6. if no MFA configured, check if PIN configured in entity config entry, if still not, check google_assistant config, if found one, return pinNeeded to GA, if not found anything go 7)
  7. if it does not need 2FA, no MFA configured, no pin found, just execute the intent.

After GA ask user the PIN, user get check preconfigured google authenticator, or received the message contains the pin code, then provide the code to GA.

GA then will send the code with intent back to HA, and HA can go through the same logic above to check the if the code is valid.

@awarecan
Copy link
Contributor

I think it maybe a good idea to add 2FA as a general security feature. e.g. if user open front lock from our UI/app, we will ask PIN as well.

@balloob
Copy link
Member Author

balloob commented Apr 18, 2019

I think that that we don't have to be this complicated. I think that we can just allow users to specify a single pin in their config or UI that is required to interact with security devices.

@awarecan
Copy link
Contributor

single PIN for MVP of course, but eventually I think a general security feature is a good enhancement

@balloob
Copy link
Member Author

balloob commented Apr 19, 2019

We shouldn't make it too difficult because it will have to be shared with family.

@balloob balloob mentioned this issue Apr 19, 2019
Merged
4 tasks
@MartinHjelmare
Copy link
Member

What is the second factor in the pin challenge mechanism? It sounds like one factor to me.

@awarecan
Copy link
Contributor

User have to link their Google account with HA account or Nabu Casa account as first factor.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
integration: google_assistant
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Ask users for a pin when interacting with locks/garage doors home-assistant/core
3 participants
@balloob @MartinHjelmare @awarecan