Jump to content

2-Factor Authentication (2FA)


xorinzor

Recommended Posts

Spaceboy

In the meantime it would be nice if you could fix it so the emby login screen work properly with services like LastPass

  • Like 2
Link to comment
Share on other sites

xorinzor

In the meantime it would be nice if you could fix it so the emby login screen work properly with services like LastPass

@@Spaceboy This doesn't really seem relevant to my feature request, you should open a bug report for that.

  • Like 1
  • Agree 1
Link to comment
Share on other sites

itkserver

If this is implemented, can it be a 2-part optional setting? Currently i have my server set "no pass on server network" "pass not on network" as my server is meant only to be used by myself and gf. I don't want (and certain don't wish to hear the complaints) that we need 2FA when at home. I would, however, like to see it implemented for my "away" usage.

  • Like 3
Link to comment
Share on other sites

  • 2 weeks later...
  • 4 weeks later...
  • 5 weeks later...
  • 1 month later...

It's always possible for the future, but a lot of work because it's not just something we can throw into the server and have it just work for all apps. It's something every app would have to be aware of, therefore it comes with a pretty high cost.

  • Like 2
Link to comment
Share on other sites

  • 5 months later...
  • 2 weeks later...
  • 1 month later...

Do you guys want 2F for all use?  As in user wants to view a movie vie their Roku and would have to do 2F first?

Or are you guys just wanting this for admin purposes?

 

If it's only for the latter then there may be a "compromise" solution that would be much easier.  Emby could allow a restriction for administration only from the home LAN or specific set of IPs that are WHITE LISTED.  Admin could then setup OpenVPN or similar which supports 2F for their home network/server environment.

 

While not "the solution" as asked it would get the job done in a secure manner if it's only needed for administration purposes.

Link to comment
Share on other sites

Chyron

Do you guys want 2F for all use? As in user wants to view a movie vie their Roku and would have to do 2F first?

Or are you guys just wanting this for admin purposes?

Why would you need 2FA to watch a movie after you've already logged in?

 

2FA should be for log in access. That is, two-factor authentication involves something you know (your password), and something you have (such as your phone). When you try to log in, the software asks for your username and password, and then, for example, prompts you to enter the 2FA key in the authenticator app on your phone. You don't have to authenticate with 2FA every time---just if it's a new device or if it's been a month since you last authenticated.

 

2FA should apply to logging in, not to performing tasks while logged in already. If it's simply an issue of administration, the administrator account(s) could have 2FA to log in while the other accounts do not.

Edited by chyron8472
Link to comment
Share on other sites

notla49285

+1, though I agree it should be separate for internal/external access. Also, as @@chyron8472 says, this should be for login only, once the user is logged in treat it the same as it is now (as in, not requiring login or 2FA again until the user manually signs out on that device or if the cache is cleared).

Edited by notla49285
Link to comment
Share on other sites

legallink

Why would you need 2FA to watch a movie after you've already logged in?

 

2FA should be for log in access. That is, two-factor authentication involves something you know (your password), and something you have (such as your phone). When you try to log in, the software asks for your username and password, and then, for example, prompts you to enter the 2FA key in the authenticator app on your phone. You don't have to authenticate with 2FA every time---just if it's a new device or if it's been a month since you last authenticated.

 

2FA should apply to logging in, not to performing tasks while logged in already. If it's simply an issue of administration, the administrator account(s) could have 2FA to log in while the other accounts do not.

 

I think he was saying, if you are a regular user and not one that can perform administrative functions, is it necessary for the request to have 2FA?  I could be wrong.

 

Your statement is unclear to me.  Is it for any/all people logging in or is it just for people who are/can do administrative functions?

  • Like 1
Link to comment
Share on other sites

Chyron

I think he was saying, if you are a regular user and not one that can perform administrative functions, is it necessary for the request to have 2FA?  I could be wrong.

 

Your statement is unclear to me.  Is it for any/all people logging in or is it just for people who are/can do administrative functions?

 

I would think who it's used for should be up to the server admin. The server doesn't really discriminate between who has what access rights when at the login screen. Therefore, it seems like the question is somewhat moot. Requiring 2FA when accessing the Dashboard doesn't make a whole lot of sense, especially when various changes to media/metadata can be made without accessing the dashboard at all. Not to mention that Emby Servers can grant administrator access to multiple accounts at the tick of a box.

 

The approach for 2FA on Emby would be different than on Plex (were Plex to ever implement 2FA) because Plex ties all of its user accounts through at least one plex.tv account. If you want access to a Managed User on your Plex Home, you must first log in as the plex.tv account holder before viewing the Home Users login page---and each "Friend" of that account must themselves also have a plex.tv account. Emby's user setup is quite different in that a server's Local Users are independent from Emby Connect accounts, such that Emby Connect access can be assigned on-the-fly to any Local User (or vice versa, or none at all) at any time that a server admin so desires. So asking which task we want to use 2FA for, in the interest of implementing it, kind of doesn't make sense since access rights to such features are fluid at the whim of the server admin.

Edited by chyron8472
Link to comment
Share on other sites

legallink

I would think who it's used for should be up to the server admin. The server doesn't really discriminate between who has what access rights when at the login screen. Therefore, it seems like the question is somewhat moot. Requiring 2FA when accessing the Dashboard doesn't make a whole lot of sense, especially when various changes to media/metadata can be made without accessing the dashboard at all. Not to mention that Emby Servers can grant administrator access to multiple accounts at the tick of a box.

 

The approach for 2FA on Emby would be different than on Plex (were Plex to ever implement 2FA) because Plex ties all of its user accounts through at least one plex.tv account. If you want access to a Managed User on your Plex Home, you must first log in as the plex.tv account holder before viewing the Home Users login page---and each "Friend" of that account must themselves also have a plex.tv account. Emby's user setup is quite different in that a server's Local Users are independent from Emby Connect accounts, such that Emby Connect access can be assigned on-the-fly to any Local User (or vice versa, or none at all) at any time that a server admin so desires. So asking which task we want to use 2FA for, in the interest of implementing it, kind of doesn't make sense since access rights to such features are fluid at the whim of the server admin.

Yeah I’m not trying to be difficult. I just wasn’t clear what you were saying as your previous statement was that administrator accounts could have 2fa and other accounts not. But now you are saying all accounts should have it. Sorry to beat it to death.

Link to comment
Share on other sites

Chyron

I was saying that 2FA could be implemented for some users on a server and not others. Doing so where a server admin has 2FA and regular accounts do not is one example. But that's just an example. Really who has 2FA and who doesn't on a server should be up to the server admin.

 

As opposed to Plex, where if they implemented 2FA, it would be at the plex.tv account login screen, which is both more straightforward and less flexible.

Link to comment
Share on other sites

I wasn't agreeing or not agreeing one way or the other.  I was just asking for clarification of what the intention (how it would be used) was for 2FA.

 

We could each have different uses for it.  For example I myself would never want each user to have to use 2FA  just to navigate my media and play it.  I don't give delete permission or anything destructive to users so I have no need for this.

 

I can already lock a user to a device and that to me is better than 2FA (not the same) for MY USE. Last thing I want to do is handle support for 2FA authentication to users.  I did this at my last job for our OpenVPN server which I administered (only one who knew Linux) and it's no fun in my book.  People change phones, loose them, forget what app is used, etc.

 

Now I could certainly see a use for 2FA in order to administer the server itself where things can be quite destructive.  If Emby added the ability to WHITE LIST admin IPs then for ME this could be done outside of Emby quite easily as I posted previously.  I'm not fond of Internet access to the web admin panels myself.

 

So there is no right or wrong way to use 2FA.  I just wondered what you wanted it for and I get what you are asking for.  I think that helps to give me info for this thread and the possible development of the feature.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...