Skip to main content
We are committed to building Homeway with the strongest possible security. We make Homeway for the Home Assistant community, and our only goal is to provide a fantastic, private, and secure remote access solution. Security is the first consideration for every new feature; if we can’t build it securely, we don’t.
Homeway never sells or stores your Home Assistant information. This includes any data tunneled through our servers for remote access; once it’s been relayed, it’s deleted. Read our Privacy Commitment.
This page covers the security that protects your Home Assistant remote access. We are a community-driven project; if you have any questions, concerns, or clarifications, don’t hesitate to contact us directly.

Overview

Let’s start with a quick overview of the security model behind Homeway. After that, we will do a deep dive into each component and detail as much information as possible.

👩 Accounts

Security starts with your account. We encourage users to set strong passwords when creating accounts. We offer Google and Apple as 3rd-party login providers, leveraging their account security measures as the first line of defense. Adding another layer of security, Homeway will require an emailed code challenge for any login from a new IP address. Finally, we optionally offer a code-based 2-factor login challenge that can be enabled on any account.

💻 Servers

Next, server security. When your browser communicates with our services, it uses the latest web security standard, TLS 1.3. This is the same tech used by your bank, government websites, and online retailers. Our SSL certificates are minted by Let’s Encrypt from a bot running on each server. We have achieved an A+ security rating with our server and SSL configuration. The certificates are created and used per server and never leave the servers. We strive to stay up to date on the latest web server security best practices. For example, we use just-in-time access, require HSTS and HSTS preloading, and bug bounty programs, just to name a few. For a full list, see the details below.

🏠 Add-on For Home Assistant

Moving on to our Home Assistant add-on. Our Homeway add-on connects to our worldwide server network via the same TLS connection your web browser uses. This connection is established using a secure WebSocket from the add-on, meaning no port forwarding or mapping is required. Your home router, Home Assistant server, and device are not exposed to the public internet in any way. As part of the WebSocket handshake, we take security even further. The add-on generates a random challenge and sends it to the server. The server must sign and return the challenge with its private key, allowing the add-on to verify the signature with the public key. If the challenge fails, the add-on will not connect to the server. While this has some redundancy with the TSL WebSocket connection, if a bad actor were able to generate a valid homeway.io certificate or gain control of the homeway domain, the bad actor wouldn’t have the server’s private key, so add-ons won’t connect.

🚀 End-To-End Remote Access

Finally, the end-to-end picture. We use multiple layers of security to provide the best possible protection. First, when your browser makes a request to our Homeway servers, the server verifies that you’re logged in and that your session credentials are valid. Thus, your user account strength is the first security layer for all remote access. Next, the request is tunneled from our servers to our add-on. Our add-on makes requests to Home Assistant the same way your browser would if the browser were on your local network. The second layer of security is the Home Assistant user login system. Homeway does not store any information on our servers, including your password or any of your logged-in user session information from Home Assistant. Meaning that even if someone had your Homeway user information and logged in to your Homeway account, they would still need to log in to your Home Assistant server to access it.

🥰 Summary

Our remote access solution elegantly provides robust security while offering incredible convenience. Our service has been built with the community’s feedback and hundreds of engineering hours. We are incredibly proud of what we have made, but there’s always room for improvement. If you have any ideas, concerns, or feedback on how we could improve, please contact us directly; we would love to hear from you.

🚀 Ready To Get Started?

Create your free Homeway account now and install our Home Assistant app!

🪸 Deep Dives

The deep dives on each technical section of our server are coming soon. It took a lot of effort just to write this much! 🙌