2-Factor Authentication (2FA)

[adrianwi 237]

So security isn't a core function of emby?  I'm hosting several of those online solutions (Nextcloud, Bitwarden, WordPress, Limesurvey, Mattermost, etc.) and they all have the option to enable MFA, which I do for some accounts (it is not forced on all). emby is one of the few that doesn't 

[tedfroop21 37]

27 minutes ago, Dreakon13 said:

Again, MFA wouldn't have prevented that.  If some users expose their server to the internet and can't be bothered to even password protect their admin user, they aren't going to enable MFA.

Yup.  When they changed the frequency of password updates where I worked to every month,  half the users started changing their password 25 times to get back to the same password they were using before the change triggered - plus the list of passwords written down in their desk drawer.

Security is what you make of it.......

 

[Q-Droid 642]

19 minutes ago, adrianwi said:

So security isn't a core function of emby?  I'm hosting several of those online solutions (Nextcloud, Bitwarden, WordPress, Limesurvey, Mattermost, etc.) and they all have the option to enable MFA, which I do for some accounts (it is not forced on all). emby is one of the few that doesn't 

Security is an important function and the dev team has spent this beta cycle hardening and closing the gaps in the system. I don't agree with all of the choices they made but I'll live. Your list is of products intended to be openly hosted for public access and even if restricted they are by design meant to used anywhere and everywhere. Emby is by design a personal media server with the option to add public access. I'm not saying they shouldn't include an option for MFA but it's not a priority for most.

[Dreakon13 132]

49 minutes ago, adrianwi said:

So security isn't a core function of emby?  I'm hosting several of those online solutions (Nextcloud, Bitwarden, WordPress, Limesurvey, Mattermost, etc.) and they all have the option to enable MFA, which I do for some accounts (it is not forced on all). emby is one of the few that doesn't 

Just my two cents but no, security isn't something I expect Emby to prioritize for me.  I think if it did, it'd start looking a lot more like Plex and most people here don't want that.

Edited February 3 by Dreakon13

[odeuxcool 8]

20 minutes ago, Dreakon13 said:

Juste mes deux cents, mais non, la sécurité n'est pas quelque chose que je m'attends à ce qu'Emby donne la priorité à moi. Je pense que si c'était le cas, cela ressemblerait beaucoup plus à Plex et la plupart des gens ici ne veulent pas de ça.

Most people don't want that? Well, listen, let me tell you that you need to wake up for a moment!
It is essential that this functionality is offered to actually be much more like PLEX which does not joke about this.

[Dreakon13 132]

Centralizing authentication is a complicated slippery slope (both conceptually and in regards to implementation) that led to Plex being where it is, and why a lot of people here are former Plex users.  Obviously MFA itself doesn't put Emby anywhere near the ballpark Plex is playing in, but in general an over-emphasis on Emby prioritizing security that isn't entirely necessary if you're administrating your server and deploying Emby properly, gets it closer.

To clarify, I don't have an issue with MFA and if they added it I'd probably use it.  But I understand why they're reluctant to invest resources in it, and why some people here probably don't care about it as much as some of the folks in this thread.

Edited February 3 by Dreakon13

[adrianwi 237]

I'm not, and never would, suggest a model like Plex where you connect via their services.  That was one of the main reasons for jumping from the Plex ship, having to authenticate with their service to access my local server.  But MFA doesn't imply or even head toward this scenario.  And how difficult can it be?  It's pretty much tried and tested so surely can reuse existing packages relatively easily.  

You do have to wonder why they bother with a Feature Request forum when many of the requests date back several years with plenty of discussion and support.  The emby team choose not to listen and write code to round corners on cover art rather than enhance security features.

I won't be going back to Plex, but perhaps it's time to check out what the Jellyfin folk have been doing for the past few years, even though I didn't really like how they did this at the time.

[Dreakon13 132]

31 minutes ago, adrianwi said:

I'm not, and never would, suggest a model like Plex where you connect via their services.  That was one of the main reasons for jumping from the Plex ship, having to authenticate with their service to access my local server.  But MFA doesn't imply or even head toward this scenario.  And how difficult can it be?  It's pretty much tried and tested so surely can reuse existing packages relatively easily.  

You do have to wonder why they bother with a Feature Request forum when many of the requests date back several years with plenty of discussion and support.  The emby team choose not to listen and write code to round corners on cover art rather than enhance security features.

I won't be going back to Plex, but perhaps it's time to check out what the Jellyfin folk have been doing for the past few years, even though I didn't really like how they did this at the time.

I could be wrong since I don't really know Jellyfin's development/feature pipeline but Jellyfin doesn't seem to have MFA built in either and it's sitting on a request from 2019 with no answer in sight.  So I dunno, maybe there's something to that.

Edited February 3 by Dreakon13

[ebr 14912]

1 hour ago, adrianwi said:

But MFA doesn't imply or even head toward this scenario

Well, it does a bit in that, in order to implement 2FA there needs to be some sort of authentication point and, having one central one for everyone makes this MUCH easier.

The complication with us is that the authentication lies entirely within your own server on your network.  Just look at the number of people who struggle setting up external access to their machines and extrapolate that out to trying to properly setup their network so that 2FA communications can properly work.

Not impossible but certainly more complex and much, much harder to support.

[odeuxcool 8]

14 minutes ago, ebr said:

Eh bien, c'est un peu le cas, pour mettre en œuvre 2FA, il doit y avoir une sorte de point d'authentification et avoir un point central pour tout le monde rend cela BEAUCOUP plus facile.

Le problème avec nous est que l'authentification se situe entièrement au sein de votre propre serveur sur votre réseau. Il suffit de regarder le nombre de personnes qui ont du mal à configurer un accès externe à leurs machines et d'extrapoler cela pour essayer de configurer correctement leur réseau afin que les communications 2FA puissent fonctionner correctement.

Ce n’est pas impossible mais certainement plus complexe et beaucoup plus difficile à prendre en charge.

Simply make the option available without activating it by default!
Users are free to activate it or not.
And I'm talking about a Google Authenticator type authentication which is very good and totally local as well as specific to each user account

[ebr 14912]

7 minutes ago, odeuxcool said:

a Google Authenticator type authentication ... and totally local

How is that "totally local"?  How would the authentication actually occur?

[odeuxcool 8]

24 minutes ago, ebr said:

Comment ça, c'est "totalement local" ? Comment se déroulerait réellement l’authentification ?

Exactly like with phpMyAdmin for those who know.

A simple QRcode allowing association with an application that generates random codes like Google Authenticator.

It is therefore Emby which generates the QRcode and Google Authenticator which receives it.

Easy as pie

[adrianwi 237]

2 hours ago, ebr said:

Well, it does a bit in that, in order to implement 2FA there needs to be some sort of authentication point and, having one central one for everyone makes this MUCH easier.

The complication with us is that the authentication lies entirely within your own server on your network.  Just look at the number of people who struggle setting up external access to their machines and extrapolate that out to trying to properly setup their network so that 2FA communications can properly work.

Not impossible but certainly more complex and much, much harder to support.

Just excuses.  The authentication point can be a mobile phone using any number of 2FA apps, so in no way linked to emby.com.  And it should be entirely optional, so if people just want to carry on with/without passwords/PINs/etc. they can, but if they want added security they can too. Lets be honest, most people hosting emby themselves are likely to have encountered or even be using 2FA using a third party app.  They'll likely have some understanding of recovery codes and there's no reason why a password reset similar to the one in place now can't be used to reset the 2FA code also.  

[Dibbes 431]

I don't think it's a real technical difficulty here. This really isn't anything more than an API integration or SDK integration in most cases. Emby has tackled issues a lot more complicated than that. The real issue I see here is that it's a lot more difficult from a tech support side. The Emby team obviously can't go an support every single user who locked themselves out or deleted the authenticator from their phone, also it's kind of prohibitive to setup alternative methods, like SMS (though email should be doable).

It might be feasible to change the LDAP plugin though... but then, you'd need something like an integration with Azure AD (or whatever it's called this week) and let Microsoft handle that...

[rbjtech 4260]

So Emby already has an additional restriction of sorts - called 'Device Access'.

I can 'lock down' access so emby will only work on a particular device if I wanted to - ie my Phone. 

Yes this is not true MFA, but could this be used as some form of one time password type access system to restrict all other access and only allow access via this OTP ?

Just thinking out loud here to maybe compromise on not adding 3rd party MFA, but include additional protection for Admin accounts using the existing emby Authentication system.

[jaycedk 379]

Tbh how is this ever going to be a good idea, when this is some ones issue.

Admins out there are still using windows "freging" 7 and don't understand why updates are an issue.

Op + supporters of this thread, can you tell me, you will help sort out there issues setting 2fa up.

Or will you hide in your little internet troll holes.

Edited February 4 by jaycedk

[adrianwi 237]

So we're all stuck with the lowest common denominator?  Where did I leave my Windows XP CD?  Probably with the MS-DOS 5.1 floppies 

Why do you even try and support users on OS that went EOL 4 years ago?  Crazy!

Edited February 4 by adrianwi

[bandit8623 48]

just throwing this out there.

opnsense has a totp option and was pretty ez to setup.  qr code generated on the opnsense box.  give that code to the user.  can use an auth app of your choice.  for the password its the 6 digit code from the authapp+ your normal pass.

https://docs.opnsense.org/manual/two_factor.html

[majorsl 20]

I stopped by to see if this was available since I have an interest in setting it up too.  I'm not sure why TOTP would be difficult to the dev wizards here after all they've accomplished.  I use Home Assistant (not their cloud) and I have TOTP setup with BitWarden and it works great.  I also have Dokuwiki hosted locally and same thing.  Home Assistant even goes the extra step of optionally enabling approvals on a device you already have authenticated to such as their app on your phone, so you have another way in if your you lose access to your TOTP app.  All of this is local and doesn't need "their" servers to host anything.

Plus, both have ways to reset a user if you have direct access to the server's file system - and if anyone has access to that besides you, you've got bigger issues than MFA!