Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for 2FA #9

Open
wants to merge 7 commits into
base: master
Choose a base branch
from
Open

Add support for 2FA #9

wants to merge 7 commits into from

Conversation

broyuken
Copy link

Added the additional fields to pass into the https://github.com/tsightler/ring-alarm-mqtt/ script. Note you need to follow the steps in https://github.com/dgreif/ring/wiki/Two-Factor-Auth in order to generate a token for use in this script.

@DawtCom
Copy link

DawtCom commented Feb 2, 2020
edited
Loading

This is great that you have made the update for the 2FA authentication approach. Just wanted to remind everyone of the same comments made by the ring_alarm_mqtt developer. That if your home assistant is compromised and they are able to gather the refresh token they will have full access to your ring alarm system API. He even goes as far as saying he just added it due to the number of requests for it. The process to gain the token in essence removes 2FA. You must use 2FA to retrieve the refresh token, once you have the token 2FA is no longer needed. This is no improvement over the username and password. He goes on to explain that it might be just as useful to create service(another user) account with a very long and complex password.

The refresh token when decoded on http://jwt.io will show similar information, a user, and a random string. On rings side they just verify the tokens validity by verifying the signature of the JSON Web Token and checking the random string against the user to authorize/authenticate the API call.

Bottom line: Make sure you take every step possible to secure your HA instance as well as the plugins you are using.

@tsightler
Copy link

It seems Ring decided to make 2FA mandatory so I guess my point is no longer valid. Interestingly, by not giving a choice, they've actually made users of this addon (or more specifically, my script) less secure because now they will be more likely to use their primary account vs creating a service account. Oh well, nothing I can do about it and Ring certainly doesn't care about 3rd party integrations like this as they don't even offer an official API or any support for 3rd party development. I guess as long as your HA system isn't compromised there's no more risk.

@aidanblack
Copy link

Please merge this pull request now that 2FA is mandatory, but consider making the location IDs an optional parameter.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@broyuken @DawtCom @tsightler @aidanblack