Security: Add PIN protection #81
Comments
|
I would like to see a third option too - PIN security for a single widget (button, switch, selection). I'm using OpenHAB as some kind of security system, so, it would be great to have PIN protection for Alarm modes for example. Something similar to Project Rotini implementation of PIN security. Best regards, |
|
Why not! I'm not against the idea if properly implemented. But how do you plan to do the locking? Detecting inactivity is quite hard and prone to errors in client-only web scenarios... Also, keep in mind it could also be easily circumvented with Firebug and other in-browser development tools (almost trivial really, if it's merely an overlay to delete from the DOM) so it doesn't provide real security. |
|
@ghys Detecting inactivity is quite simple. Just hook to any mouse/kb events and determine time based on last user interaction. We did this on our online banking web app at work. It can be done two ways, using setTimeout to timeout user (reset it on user interaction) or setting time and calculating the difference. The only caveat in setTimeout is that some browsers delay setTimeout if browser is in suspended mode (soft sleep, etc), hence the use of calculating is more accurate. @davorf You also have to be very careful on browsers running on Full Screen mode. Some instances, such as older IE versions and/or tables and Windows PCs running on Desktop mode, the on-screen keyboard does not automatically popup. How would you enter the pin then? Here's a screen shot of my Alarm page, as you can see, everything here is ReadOnly. I can Arm the system with a single click, but I would need to enter PIN to disarm it. |
|
Hello @LuckyMallari In Project Rotini's PIN secured widgets, when you click it, it shows custom pop-up (numeric) keyboard (with OK and cancel buttons). If the entered PIN is correct, it automatically changes the state of an item to a new one, if not, the state is not changed. Best regards, |
|
I can understand the need for restricting certain features to advanced users/owners with a PIN code, but I don't think monitoring user inactivity should be HABPanel's job as a web app; since it's primarily targeted at dedicated tablets (fixed/wall-mounted), then the OS's own lock screen will do the job nicely for those scenarios. |
|
I agree with you @ghys but a locked tablet/device is basically a brick. Davorf's use case is valid to me. I run my HabPanel instance on a wall-mounted All-in-One touch screen PC. I then fabricated a microcontroller (Arduino) with a PIR sensor. The screen will turn off per the OS timeout, but I opted NOT to lock the device. When the screen is already off, I can just walk past the area, and when the PIR sensor detects the motion, the screen will turn on by itself, as I designed it to. As we have seen in our production web apps here at work, some devices will suspend Javascript. Windows itself will suspend IE Javascript timer frequency code even when it's just in soft sleep. Hence, the option in Windows advanced power settings menu. Now for my habpanel, if the device was locked, I would need to unlock the device, which defeats the purpose of it being wall-mounted. It would be nice to have a lock only on areas I want, as @davorf mentioned, like an alarm page. Let me see what I can cook up, but I also want to make sure there's a lot of interest in this feature. I was thinking of giving the users 3 options: PIN, Password, or Pattern (like in Android) |
|
How about using "Fully Kiosk Browser Lockdown" app, instead of adding it to Habpanel ? https://community.openhab.org/t/using-habpanel-instead-of-switches-in-house/25011/4 |
|
Correct me if I'm wrong, but this application would not protect some parts of the HABPanel with a PIN, but would rather prevent user from exiting the Kiosk application and running other applications and settings. I was talking about PIN protection for a separate widget, so you could have, for example, most switches unprotected, but few of them with a PIN protection. You could take a look at Project Rotini implementation, it's solution is really good one, in my opinion. Best regards, |
|
I agree with you for PIN protection for a separate widget case where Kiosk Browser app doesn't make sense. |
|
Hello @LuckyMallari, Any updates of your work on PIN/Password/Pattern ? |
|
Nice feature request indeed. Looking forward to it. Let’s try to rebump the discussion |
|
Wow been a while. Are people still interested in this? I can start working on it. Some questions though: Which parts are to be protected? We can do it tons of ways: This list will be in order of simplicity/time to design and code:
|
|
I am interested in this functionality. However, is habpanel the right layer to implement sucurity? |
|
This pin pad would be in the "safety" category rather than security. The pinpad (the design I am thinking of) should not even render (ng-if) the DOM if locked, and therefore such dashboards/widgets are totally out of the picture if locked, i.e., you cannot send commands to it, you cannot know the status. There are a couple of things we can design for the locking mechanism: An option to:
We will also need a way to recover forgotten PINs other than manually editing the JSON settings. As I mentioned UI-based security are for 'safety' only, and not Security. Doing all these will NOT prevent other means to send commands to the item outside of the UI. |
IMO if this ever gets done, it should clearly be advertised as such. |
and others
I'd like to suggest a feature - an optional layer of security for either:
When 1 or 2 is "locked", then any user interaction should be prevented by displaying PIN input overlay.
The lock screen should contain a keypad and stars indicator.
The text was updated successfully, but these errors were encountered: