Popular Post xorinzor 116 Posted January 31, 2018 Popular Post Posted January 31, 2018 I'd really like to have 2 Factor Authentication added to the login screen.It's just this (optional) extra layer of security to help secure the server (which, especially if people use camera uploads) contains pretty private data.There are for every type of programming language quite a few libraries available, so implementation on a server shouldn't be too hard to realise 96 16
Luke 39008 Posted January 31, 2018 Posted January 31, 2018 Yea it could be possible for the future. 4
Spaceboy 2563 Posted January 31, 2018 Posted January 31, 2018 In the meantime it would be nice if you could fix it so the emby login screen work properly with services like LastPass 2
xorinzor 116 Posted January 31, 2018 Author Posted January 31, 2018 In the meantime it would be nice if you could fix it so the emby login screen work properly with services like LastPass @@Spaceboy This doesn't really seem relevant to my feature request, you should open a bug report for that. 1 1
itkserver 3 Posted February 4, 2018 Posted February 4, 2018 If this is implemented, can it be a 2-part optional setting? Currently i have my server set "no pass on server network" "pass not on network" as my server is meant only to be used by myself and gf. I don't want (and certain don't wish to hear the complaints) that we need 2FA when at home. I would, however, like to see it implemented for my "away" usage. 3
Luke 39008 Posted February 5, 2018 Posted February 5, 2018 Not to worry, it's not something we'd ever require by default. 5
wiredexpress 1 Posted February 19, 2018 Posted February 19, 2018 I would also like to see 2 factor authentication it's a good idea. 1
Luke 39008 Posted June 3, 2018 Posted June 3, 2018 It's always possible for the future, but a lot of work because it's not just something we can throw into the server and have it just work for all apps. It's something every app would have to be aware of, therefore it comes with a pretty high cost. 2
runtimesandbox 156 Posted June 3, 2018 Posted June 3, 2018 Started my own post as didn't see this one, just adding my +1 here 1
ryzilla 11 Posted November 18, 2018 Posted November 18, 2018 +1 for this out of the box. I have mfa on mine via apache and duo, works well but would be nice to get it out of the box.
Carlo 4508 Posted January 7, 2019 Posted January 7, 2019 Do you guys want 2F for all use? As in user wants to view a movie vie their Roku and would have to do 2F first? Or are you guys just wanting this for admin purposes? If it's only for the latter then there may be a "compromise" solution that would be much easier. Emby could allow a restriction for administration only from the home LAN or specific set of IPs that are WHITE LISTED. Admin could then setup OpenVPN or similar which supports 2F for their home network/server environment. While not "the solution" as asked it would get the job done in a secure manner if it's only needed for administration purposes.
Chyron 247 Posted January 7, 2019 Posted January 7, 2019 (edited) Do you guys want 2F for all use? As in user wants to view a movie vie their Roku and would have to do 2F first? Or are you guys just wanting this for admin purposes? Why would you need 2FA to watch a movie after you've already logged in? 2FA should be for log in access. That is, two-factor authentication involves something you know (your password), and something you have (such as your phone). When you try to log in, the software asks for your username and password, and then, for example, prompts you to enter the 2FA key in the authenticator app on your phone. You don't have to authenticate with 2FA every time---just if it's a new device or if it's been a month since you last authenticated. 2FA should apply to logging in, not to performing tasks while logged in already. If it's simply an issue of administration, the administrator account(s) could have 2FA to log in while the other accounts do not. Edited January 7, 2019 by chyron8472
notla49285 46 Posted January 7, 2019 Posted January 7, 2019 (edited) +1, though I agree it should be separate for internal/external access. Also, as @@chyron8472 says, this should be for login only, once the user is logged in treat it the same as it is now (as in, not requiring login or 2FA again until the user manually signs out on that device or if the cache is cleared). Edited January 7, 2019 by notla49285
legallink 187 Posted January 7, 2019 Posted January 7, 2019 Why would you need 2FA to watch a movie after you've already logged in? 2FA should be for log in access. That is, two-factor authentication involves something you know (your password), and something you have (such as your phone). When you try to log in, the software asks for your username and password, and then, for example, prompts you to enter the 2FA key in the authenticator app on your phone. You don't have to authenticate with 2FA every time---just if it's a new device or if it's been a month since you last authenticated. 2FA should apply to logging in, not to performing tasks while logged in already. If it's simply an issue of administration, the administrator account(s) could have 2FA to log in while the other accounts do not. I think he was saying, if you are a regular user and not one that can perform administrative functions, is it necessary for the request to have 2FA? I could be wrong. Your statement is unclear to me. Is it for any/all people logging in or is it just for people who are/can do administrative functions? 1
Chyron 247 Posted January 7, 2019 Posted January 7, 2019 (edited) I think he was saying, if you are a regular user and not one that can perform administrative functions, is it necessary for the request to have 2FA? I could be wrong. Your statement is unclear to me. Is it for any/all people logging in or is it just for people who are/can do administrative functions? I would think who it's used for should be up to the server admin. The server doesn't really discriminate between who has what access rights when at the login screen. Therefore, it seems like the question is somewhat moot. Requiring 2FA when accessing the Dashboard doesn't make a whole lot of sense, especially when various changes to media/metadata can be made without accessing the dashboard at all. Not to mention that Emby Servers can grant administrator access to multiple accounts at the tick of a box. The approach for 2FA on Emby would be different than on Plex (were Plex to ever implement 2FA) because Plex ties all of its user accounts through at least one plex.tv account. If you want access to a Managed User on your Plex Home, you must first log in as the plex.tv account holder before viewing the Home Users login page---and each "Friend" of that account must themselves also have a plex.tv account. Emby's user setup is quite different in that a server's Local Users are independent from Emby Connect accounts, such that Emby Connect access can be assigned on-the-fly to any Local User (or vice versa, or none at all) at any time that a server admin so desires. So asking which task we want to use 2FA for, in the interest of implementing it, kind of doesn't make sense since access rights to such features are fluid at the whim of the server admin. Edited January 7, 2019 by chyron8472
legallink 187 Posted January 8, 2019 Posted January 8, 2019 I would think who it's used for should be up to the server admin. The server doesn't really discriminate between who has what access rights when at the login screen. Therefore, it seems like the question is somewhat moot. Requiring 2FA when accessing the Dashboard doesn't make a whole lot of sense, especially when various changes to media/metadata can be made without accessing the dashboard at all. Not to mention that Emby Servers can grant administrator access to multiple accounts at the tick of a box. The approach for 2FA on Emby would be different than on Plex (were Plex to ever implement 2FA) because Plex ties all of its user accounts through at least one plex.tv account. If you want access to a Managed User on your Plex Home, you must first log in as the plex.tv account holder before viewing the Home Users login page---and each "Friend" of that account must themselves also have a plex.tv account. Emby's user setup is quite different in that a server's Local Users are independent from Emby Connect accounts, such that Emby Connect access can be assigned on-the-fly to any Local User (or vice versa, or none at all) at any time that a server admin so desires. So asking which task we want to use 2FA for, in the interest of implementing it, kind of doesn't make sense since access rights to such features are fluid at the whim of the server admin. Yeah I’m not trying to be difficult. I just wasn’t clear what you were saying as your previous statement was that administrator accounts could have 2fa and other accounts not. But now you are saying all accounts should have it. Sorry to beat it to death.
Chyron 247 Posted January 8, 2019 Posted January 8, 2019 I was saying that 2FA could be implemented for some users on a server and not others. Doing so where a server admin has 2FA and regular accounts do not is one example. But that's just an example. Really who has 2FA and who doesn't on a server should be up to the server admin. As opposed to Plex, where if they implemented 2FA, it would be at the plex.tv account login screen, which is both more straightforward and less flexible.
Carlo 4508 Posted January 8, 2019 Posted January 8, 2019 I wasn't agreeing or not agreeing one way or the other. I was just asking for clarification of what the intention (how it would be used) was for 2FA. We could each have different uses for it. For example I myself would never want each user to have to use 2FA just to navigate my media and play it. I don't give delete permission or anything destructive to users so I have no need for this. I can already lock a user to a device and that to me is better than 2FA (not the same) for MY USE. Last thing I want to do is handle support for 2FA authentication to users. I did this at my last job for our OpenVPN server which I administered (only one who knew Linux) and it's no fun in my book. People change phones, loose them, forget what app is used, etc. Now I could certainly see a use for 2FA in order to administer the server itself where things can be quite destructive. If Emby added the ability to WHITE LIST admin IPs then for ME this could be done outside of Emby quite easily as I posted previously. I'm not fond of Internet access to the web admin panels myself. So there is no right or wrong way to use 2FA. I just wondered what you wanted it for and I get what you are asking for. I think that helps to give me info for this thread and the possible development of the feature.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now