Most Mobile Authenticator Apps will allow you to backup the Authenticator registration to an account.
Alternatively, if you have a spare phone (with or without a SIM chip), you may wish to deploy your Authenticator Apps to a 2nd phone, IPad, or Android Tablet to grant yourself additional freedom from being forced to using a single device for authentication.
Important Note: If the website allows it, you can register your QR code multiple times to different Authenticator Apps on the SAME or DIFFERENT phone. If you already registered to a site, you may re-register the QR code on both devices to ensure they both have the same “seed” for your login ID.
You may use your Ipad/Android Tablet without needing your primary phone near you while authenticating to your secure applications/websites.
Below is an example of using the following Authenticator Apps that registered the same QR code, e.g. Last Pass Authenticator (Red Shield Icon), Google Authenticator (Grey G), Microsoft Authenticator (Blue Lock Icon), and Okta Verify Authenticator (Blue “O” CheckMark Icon).
We did a test to confirm that these Authenticator Apps are all time based with your unique registration QR Code. As you can see from the below screenshot, any time-based authenticator app will return the same code within that 60 seconds cycle before they rotate.
Please note that other authenticators do not base the return value ONLY on time but other variables. Example: SecureID Token (Cloud Icon), Symantec VIP Access (Yellow Circle with Checkmark Icon), Okta Mobile (Blue Icon), and IRS2Go – Authenticator & App (IRS Logo Icon).
As we see more accounts get compromised, we strongly recommend using one or more of any authenticator applications with your mobile phone. Please note, all of these authenticator applications are free to use by the vendors.
Every website you access with an account usually has a “two-factor” authentication security setting that you may enable. You can enroll your mobile phone with the provided QR (quick response) code.
Examples of QR Codes that you may scan with your cell phone camera. Modern cell phone will auto transcribe these pictures into text for a web site URL, text, or registration code. The below three QR codes are all text base messages that you may practice your cell phone on. The more characters, the smaller the blocks will be in the QR code.
Hopefully, this entry may have value to you for account recovery, or managing access for/with a partner, spouse, dependents, and parents accounts.
Additional benefit, if the primary phone is lost or damaged, you will still have access to your accounts without being forced to go through recovery methods on each account, e.g. disable Authentication App, prove your identity, access your account, re-apply Authenticator App.
Only negative to this process is that you must remember to register 2nd device at the same time as the primary phone, for any new websites or wish to update your account on an existing website/application.
Example for Facebook TFA (Two-Factor-Authentication) Configuration:
Select Security and Login / Two-Factor Authentication under Facebook Settings. You will need to re-authenticate with your password to ensure that you are the correct person to change these settings.
Next, select the “Authenticator App” Manage button to add in an Authenticator App. Have both your primary phone and your 2nd device available within one of the Authenticator App open. Scan the QA code with both devices. Do NOT click the Continue Button, until you have scanned with both devices. This QA code is the “seed” for your authentication app. If you have any issues, you can re-scan a new code to retry.
After you click continue, most application/websites will ask you to input the code from your phone/device into the website, to prove that it was recorded correctly. If you look at both devices, you should see the same code being repeated on both every 60 seconds when they rotate.
LassPass Example:
If you are a fan of LastPass, the online password management tool, you can enable the three (3) popular Authenticator apps as well. The Google Authenticator App selection may also be used with Okta Verify Authenticator App.
I was interested to see an intersection between Docker, VMware, and an application (Home Assistant) that users may wish to run on their laptops and/or workstations.
The Home Assistant application seemed especially valuable to business travelers/road warriors that would like a simple and flexible dashboard to keep an eye out for activity at home.
I have put together the following steps to be completed in thirty (30) minutes or less using community and/or non-commercial licenses.
This lab will cover the following solutions/applications: VMware player (free personal license), home assistant (open-source home automation platform ), Docker (automation of application on a prebuilt os), Ring Door Bell (ring.com) and Fast.com (monitor of download speeds)
Please review and see if this lab may have value to your project team(s) to increase their awareness of docker and still have value for home use.
Ring Door Bell (ring.com) & Fast.com
The above Dashboard image is the goal of this lab; to take advantage of the community tools for home automation, and enable your Ring.com credentials to allow viewing/monitoring while on the road or at home. Additionally, we have added Fast.com configuration to allow for bandwidth monitoring of download speed using the Netflix’s sponsored site.
Step 1: Create a single folder for download(s) and installation
Avoid clutter from VMware configuration and data files if allowed to use defaults. Otherwise, we may have files in two (2) different folders.
Step 2a: Download the Home Assistant VMDK bootable disk image
We wish to pre-download this bootable image to be ready to be consumed by VMware Player (Note: If you already have VMware workstation, you may use it as well instead of VMware Player)
See the link below in the next step.
Step 2b: Download the Home Assistant VMDK bootable disk image
The pre-built vmdk compressed file may be accessed under “Getting Started” and “Software Requirements”
Select the “VMDK (VMWare Workstation) link to download this file.
Step 2c: Copy and Extract the VMDK from the compressed gz file
Suggest a copy be made of the vmdk file, as future steps will modify this file. The file is compressed with gzip, but you may use 7zip ( https://www.7-zip.org/ ) or other 3rd party tools to extract. The MS Windows built-in zip tool will not likely extract this file.
Step 3a: Download a free, personal license copy of Vmware Player
If you already have VMware Workstation, you may skip these series of steps; or you may wish to install this VMware Player package along with your existing VMware workstation installation.
Step 3b: Install Vmware Player, and designate for personal use aka “non-commercial use” when asked for license key.
During installation, when asked for a license, select “non-commercial use” for personal use on your home laptop/workstation.
Step 4a: Start Vmware Player, and select “Create a New Virtual Machine”
Now we are ready to create our first Virtual Machine on our laptop/workstation. We will use a default boot-strap configuration to build the initial settings, then modify them for the Home Assistant pre-built bootable disk image.
Step 4b: Select the following configurations to jump start VMDK
Choose a generic Linux Operating System and Version configuration. I selected “Other Linux 5.x or later kernel 64-bit”. Next, select the folder where the Home Assistance vmdk file was extracted. Rename your VM as you wish. I kept it as “homeassistant”.
Step 4c: Allow discovery of the VMDK for Home Assistant
VMware player will recognize that a pre-existing vmdk file exists in this folder, and will warn you of this fact. Click Continue to accept this warning message.
On the next screen, select “Store virtual disk as a single file” to avoid the clutter of temporary files.
Step 4d: Create the new Virtual Machine
We are now ready to complete the new Virtual Machine with default configurations.
Note: When this step is complete, please do NOT start/play the VM yet; as that will define default OS configuration settings; which we do not require.
Step 5a: Edit the new Virtual Machine Settings
Now we are ready to adjust the default configurations to enable the use of the pre-built Home Assistant VMDK bootable disk file.
Step 5c: Add correct Hard Drive Type (IDE) for bootable VMDK
Select “Add” button, to re-add a “Hard Drive” with Type = IDE. Select “Use an existing virtual disk”. This “existing virtual disk” will be the Home Assistant VMDK file.
Select Next button.
Step 5d: Select the “hassos_ova-2.xx.vmdk” file for the bootable existing disk
Select the Home Assistant VMDK file that was extracted. Ensure that you do NOT select the temporary file that was created prior with the name “homeassistant.vmdk”
Select Finish button.
Step 5e: Allow vmdk disk to be imported
You may convert or allow the VMDK to remain in its prior “format”. We have tested with both selections; and have not observed any impact with either selection.
After import, observe that the Hard Drive now has IDE as the connection configuration.
We will now expand this Hard Drive from the default of 6 GB (maximum size) in the next step.
Step 5f: Expand VMDK from 6 GB (default) to 32 GB for max disk size
Select “Hard Drive”, then in the right sub-panel, select “Expand disk capacity”
Update the value from 6.0 to 32.0 for maximum disk size in GB.
Click OK and observe the update on both panel windows for the hard drive.
Click OK to close edit windows. Reminder: Do NOT start/play the image yet.
Step 6a: Convert “BIOS” (default) to “EFI” type for new Virtual Machine
Last step before we start the image. The Home Assistant bootable VMDK disk was designed and configured for the boot-loader of EFI, instead of the older legacy “BIOS” boot-loader.
If you have VMware workstation/ ESXi server, you may have access to a GUI entry to adjust this virtual firmware bootloader configuration.
However, VMware Player does not expose this setting in the GUI. To address this challenge, we will use VMware documented method to directly update the configuration file for our new Virtual machine for one (1) setting. https://communities.vmware.com/docs/DOC-28494
Navigate to the folder where the VMDK was extracted. You will now see several other files, include the primary configuration file for our new Virtual Machine. Its name will be “homeassistant.vmx” . The “*.vmx” filename extension/suffix will contain hardware configuration for booting the VWmare VM server image.
Step 6b: Edit configuration file for new Virtual Machine
Use either MS Windows notepad.exe or Notepad++ or similar tool to edit the configuration file.
If the VM image was not started, we will NOT find a key:value pair with the string “firmware”. Note: If the VM image was started before we add in our entry, then startup issues will occur. (If this happens, please restart the lab from Step 4a.)
Append the following string to the bottom of the file & save the file.
firmware = “efi“
Step 7a: Start the new Virtual Machine
We are now ready to start our image and begin to use the Home Assistance application. Select our new Virtual Machine & click “Play virtual machine”.
Observe the screen for “boot-loader” information related to EFI. This will be confirmation that we did configure the VMDK hard drive image to load correctly and will have no unexpected issues.
Step 7b: Click within Virtual Machine window to “active” and then <enter>
The VM will boot fairly quickly, and you may notice the text will appear to stop.
Click within the VM window with your mouse, then press the <ENTER> key to see the login prompt.
Enter the login userID: root
Note: If you wish to re-focus your mouse/keyboard outside of VMware Player, press the keys <CNTRL> and <ALT> together, to redirect focus. Click back into the VMware Player window anytime to enter new text.
Step 7c: Discover IP address of homeassistant docker application
Now we get to play with some basic shell and docker commands to get our IP address and validate a port.
At the hassio > prompt, enter the text: login
This will give us a root shell account. To find our current dynamic IP address, that the VMplayer installation created for us, issue the following command:
ip addr | grep dynamic
To view the three (3) docker containers, issue the following command:
docker ps
This will display the status of each container. After 1 minute uptime, we can use the Home Assistant application.
To validate the actual TCP Port used (8123), issue the following docker command:
We will use the IP address and TCP port (8123) within a browser window (IE/Chrome/Firefox/Opera/etc.) on the laptop/workstation to access the Home Assistant application.
Step 8a: Login to Home Assistant Application with a Browser
When we first start the Home Assistant Application, it will ask for a primary account to be created. Use either your name or admin or any value.
If you plan to eventually expose this application to the internet from your home system, we would recommend a complex password; and perhaps storage in a key safe like LastPass https://www.lastpass.com/ or locally in Key Pass https://keepass.info/ file.
Step 8b: Use detect to re-assign default location to your area
Adjust the defaults to your location if you wish. Use the “detect” feature to reset values, then click next. May use a mouse to assist with refinement of location on the embedded map feature.
Step 8c: Home Assistant Landing Page
Click Finish to skip the question about early integration.
Now we are at the Landing Page for Home Assistant. Congratulations with the setup of Home Assistant.
We now will configure two (2) items that have value to home users.
Step 9a: Enable the Home Assistance Configuration Tool
Before we add-on new features, we need to make it easy for us to adjust the Home Assistance configuration file.
Select the MENU item (three lines in the upper left window – Next to HOME string)
You will see a side panel of selection items. Select “Hass.io“
Step 9b: Select Add-On Store & Configurator Tool
Select the “ADD-ON STORE” displayed at the top of the window. Scroll down till you view the item “Configurator” under the section “Official add-ons”
Select the item “Configurator”
Step 9c: Install and Start the Configurator Tool
Select “Install” and “Start” of the “Configurator” Tool
Step 9d: Open the Web UI to use the Configurator Tool
Select the “Open Web UI” link. You may wish to save this URL link in your favorites or remember how to re-access this URL with additional updates.
After the landing page for the “Configurator” tool has loaded, select the FOLDER ICON in the upper left of the window. This will allow you to access the various configuration files.
Step 9e: Select primary Home Assistant configuration file (configuration.yaml)
Now select configuration.yaml from the left panel. The default configuration file will load with minimal information.
This is where we will make most of the updates to enable our home applications of Ring Doorbell and Fast.com (download monitor).
Step 10a: Add fast.com & Ring Door Bell Add-On (with sensors/camera)
We are now ready to add in as many integrations as we wish.
There are 100’s of prebuilt configurations that can be reviewed on the Home Assistant site.
For Ring Doorbell (ring.com) and Fast.com, we have already identified the configurations we need, and these can be pasted to the primary configuration file. We have also enclosed the references for each configuration.
# Download speed test for home use
# Ref: https://www.home-assistant.io/integrations/fastdotcom/
fastdotcom:
scan_interval:
minutes: 30
# Ring Doorbell
# Ref: https://www.home-assistant.io/integrations/ring/
# Ref: http://automation.moebius.site/2019/01/hassio-home-assistant-installing-a-ring-doorbell-and-simple-automations/
# Ref: https://www.ivobeerens.nl/2019/01/15/install-home-assistant-hass-io-in-vmware-workstation/
sensor:
- platform: ring
ring:
username: !secret ring_username
password: !secret ring_password
camera:
- platform: ring
binary_sensor:
- platform: ring
Step 10b: Save configuration.yaml file & confirm no syntax errors
Click save, and validate that you have a GREEN checkbox (this is used for syntax checking of the configuration files for spacing and formatting).
After saving, click the FOLDER ICON in the upper left.
We will now add the Ring.com credentials to the secrets.yaml file.
Step 10c: Select “secrets.yaml” to host the Ring.com credentials
From the side panel, select the “secrets.yaml configuration file to add the Ring.com credentials.
Step 10d: Enter Ring.com credentials & save this file
Enter Ring.com credentials in the following format.
# Enter your ring.com credentials here to keep them separate
# from the default configuration file.
ring_username: email_address_used_for_ring.com_here@email.com
ring_password: password_used_for_ring.com_here
Step 11a: Restart Home Assistance Application
Configurations are done. Restart the Home Assistance Application to use the configurations for Ring.com and Fast.com
Select “Configuration” from the left panel menu, then scroll down in right panel to select “Server Controls”
Step 11b: Restart Home Assistant Application
Select “Restart” and accept the warning message with OK. The connection will drop for 30-60 seconds, then the browser may reload with the prior screen. (If you saved your credentials in the browser password management section when “asked” by the browser). If not, re-authenticate with your Home Assistant credentials.
Step 11c: Extra – Monitor for Error Messages in Notification Logs
This section is ONLY needed if you see an error message in the Notification Logs, e.g. missing data in the secrets.yaml and/or incorrect credentials for Ring.com.
Step 12: Done – Site 1 & Site 2
Below example for one (1) site with just one (1) Door Bell Ring device and integrated with Fast.com
Example with many devices integrated with Ring.com
We hope this lab was of value, and that others take advantage of this prebuilt appliance with docker and vmware. Please share with others to allow them to to gain awareness of docker processes.
Extra of interest: AWS and Ring.com Mp4 Videos
There are additional configurations that will allow auto-downloading of the mp4 videos from the AWS hosted site for Ring.com. Note the Video_URL for camera.front_door.
A view of the many pre-built integrations for Home Assistant
What makes an IAM project successful? A question that must be understood before taking on any complex multi-component integration that spans across people, process, and technology.
IAM projects are hard. They are hard because the objective is not just technical, it involves evaluation of business process implementations, it involves adoption to change. They are hard because it requires integrating with existing data on various systems be it legacy or modern. They are hard because IAM systems are powerful in that they can change data as they reside in a native system. It is hard because the risk of not diligently planning, designing, and implementing can be disastrous. They are hard because we need to resist the urge to start building something without requirements discussions, or a good understanding of the capability and deliverables. But a successful IAM program adds immense value to the business. Organizations that are looking to optimize business value are looking to tackle all of the above and more to reap fruits a successful IAM program yields.
Below are some key aspects to ensuring IAM Project Success
Communication and Expectations
It is all about clear communication and expectation setting. During the initial phases of requirements gathering and design discussions, open and transparent communication is a must. As an expert in IAM implementations, take the lead to communicate when there are gaps in the capability requested. Talk out if specific requirements can be met a different way to achieve the same business objective, or to think about passing out the required capability to another cycle if there is a time or resource limitation. Or set the expectation around additional ‘X’ needed if the request is to be pursued. This ‘X’ may be additional funding for resources to develop custom capability, added project deliverable risk, etc.
Communicate honestly and execute diligently on exceptions that are set. It always helps to continuously provide quick and honest feedback. If a project is to fail trying to accomplish too much given the time and resource, it was going to fail anyway, best to keep key stakeholder apprised of the risks up front — the frequent the communication around progress and risks, with clarity, the better the outcome.
Managing clear communications and expectations for requirements, design, decisions, and risks will help the entire team stay focused on the goal and be successful.
Plan of Execution
To be successful, it is imperative that the entire team is in agreement around the deliverable, expectations from each team member, expectations and support from the stakeholders. A project plan to track deliverables, get all members executing the tasks responsible and accountable is a must. In a large project with many moving parts, it is very easy to lose track of how to reach the goal line. Many sidebar issue and conversations will be in play, creating distractions. With a proper plan around execution, diligent upkeep of status, and everyone held accountable for their work streams instills trust in the team executing complex integrations.
Investment in an upfront plan on achieving the goals and open communication with the right stakeholders will pave the way to success.
Resource Planning
Resource Planning inherently is a part of the overall planning. We give particular emphasis to resource planning is to ensure there is an understanding of priorities while working with customer teams that may be involved in other day-to-day activities. When a timeline expectation is set, it can only be executed when resources involved in tasks have the cycles to get the work done.
Data Driven Testing
Investing in a test process that is data driven is vital. To get a data-driven test process, engaging technical and business stakeholder early in the process will reap delight. IAM systems change data in customers endpoint systems. To avoid surprises, tests should be executed on non-production systems and the expected changes to the data must be diligently validated. It is not enough to assume not getting an error message during a test cycle as a success. Nor is it okay to merely confirm the expected changes. It is essential to validate all changes to ensure side effects do not introduce additional unexpected changes.
Sign-off Process
A well defined sign-off process for every stage of the project is also essential to success. It keeps the stakeholder engaged and informed in all phases of the project. A sign-off process should also include an understanding of how to keep moving forward in case of a stalemate. In an IAM project, we will face instances where there is some issue that can cause delay. An objective evaluation on whether the problem is a show stopper for go-live must be done objectively. It just is better to have an open discussion during early phases of the project to discuss the challenges the team most likely is going to face, and a process that can help move forward and enable focused Sign-Off towards a successful go-live.
Operational Expertise
IAM implementations are complex. To reap the IAM program benefits a successful implementation is not enough. A skilled team that understands the execution from a business and technical perspective is required to ensure the continuity of excellence. If the client team is to be responsible for the upkeep and maintenance of the implementation, it is crucial they be engaged during all phases of the project. Understanding the implementation details will go a long way in tacking operational challenges.
Our team is here to help with every step to make your journey a successful one. Even if you are not working with us directly, we hope the article provides a blueprint towards a successful IAM program execution.