2-Factor Authentication (2FA)

[chef 3746]

2 hours ago, rbjtech said:

They want 2FA because it's a buzz word - but anybody implementing 2FA has built it on existing security fundamentals - and without them 2FA is frankly worthless and probably impossible anyway (2FA over http anyone ?)..

The 'detail' behind the attacks/attempts for the majority is going to be irrelevant - the fact that a bot is blocked after 5 attempts at using password 'monkey123' on user 'Admin' is only a good thing - it will simply move onto the next WAN IP in the scan ..

I just compiled the binary actually and it still built ok - it hasn't been updated in 3 years though according to Git - so probably needs a quick going over !

See how it uses iptables on Linux, and I think it uses some net shell on windows.  

I'll take another look, it has definitely been a while. 

[adrianwi 238]

Given the latest events, isn't it about time the development team took this a little more seriously and stopped kicking it down the road?  All internet facing systems in 2023 should have the option for MFA.

[blj 3]

On 3/5/2023 at 5:28 PM, rbjtech said:

They want 2FA because it's a buzz word - but anybody implementing 2FA has built it on existing security fundamentals - and without them 2FA is frankly worthless and probably impossible anyway (2FA over http anyone ?)..

The 'detail' behind the attacks/attempts for the majority is going to be irrelevant - the fact that a bot is blocked after 5 attempts at using password 'monkey123' on user 'Admin' is only a good thing - it will simply move onto the next WAN IP in the scan ..

I just compiled the binary actually and it still built ok - it hasn't been updated in 3 years though according to Git - so probably needs a quick going over !

MFA is not only a buzzword. How would you render it worthless if it stops you even with the right username/password?

Off course there's gonna be other exploits on an internet facing server, but this is the front door, let's just lock that extra tight and move on to the next security issue. It's not like you should stop here.. I am appalled by the lack of action taken to address the issue.

[rbjtech 4276]

1 hour ago, blj said:

MFA is not only a buzzword. How would you render it worthless if it stops you even with the right username/password?

Off course there's gonna be other exploits on an internet facing server, but this is the front door, let's just lock that extra tight and move on to the next security issue. It's not like you should stop here.. I am appalled by the lack of action taken to address the issue.

Not sure who that comment is directed at tbh.

I stand by my comment, MFA is useless unless built on a strong security foundation.

Emby is taking action, now, don't have any ETA's and MFA is likely 'on the list' but I suspect there are many things that need to be implemented/enforced first - hence my statement above.

[blj 3]

3 hours ago, rbjtech said:

Not sure who that comment is directed at tbh.

I stand by my comment, MFA is useless unless built on a strong security foundation.

Emby is taking action, now, don't have any ETA's and MFA is likely 'on the list' but I suspect there are many things that need to be implemented/enforced first - hence my statement above.

Mostly directed @ the ppl developing emby. And then i just wondered how you could call it a buzzword and useless? The whole idea behind MFA makes everything more secure. Im well aware everything can be hacked in one way or another, but mfa can slow down a potentiel hacker, or make them try elsewhere. Anyways, hope they will add it soon... I just think this should be a high priority...

[rbjtech 4276]

13 hours ago, blj said:

 And then i just wondered how you could call it a buzzword and useless? 

No - you need to read what I said - you have taken it entirely out of context.

I'm well aware of what MFA is and fully agree with it's concepts - but trying to bolt on enhanced security methods to weak or non-existant security foundations is like trying to add a second keypad lock on the gate below .. 

Edited July 11, 2023 by rbjtech

[adrianwi 238]

The gate is an interesting analogy, but as that's the bit I really expect emby to protect, I'd like those extra locks and a bigger gate! The fences to stop people getting around the sides are somewhat our responsibility, although I'm happy for emby to provide help with that too.

[odeuxcool 8]

Hello admins/developers. it is essential to integrate MFA authentication today for external connections! security does not only concern companies, but also individuals! I currently have 12 external user accounts on Emby and this is my only security hole. it is imperative that they can be secured, at least for the first connection with a device. I would be ready to pay more for the extension if it finally saw the light of day!

[rbjtech 4276]

37 minutes ago, odeuxcool said:

Hello admins/developers. it is essential to integrate MFA authentication today for external connections! security does not only concern companies, but also individuals! I currently have 12 external user accounts on Emby and this is my only security hole. it is imperative that they can be secured, at least for the first connection with a device. I would be ready to pay more for the extension if it finally saw the light of day!

Why do you think this is your only 'security hole' ?    There are MANY gaps in the current emby security model - and as has been explained in this thread, nobody is against MFA, but without closing the other gaps first, deploying MFA is just something an attacker would quickly sidestep.

My understanding is password lockout and possibly password entropy checking is being deployed soon, hopefully with decent integration into the Notification system to then allow Push alerts - that is a good step forward - a little sad that it took the recent 'incident' to bring it to the forfront but I'll take it.    imho, this is far more important than MFA at this point in time.

[adrianwi 238]

I think people are just rightly frustrated at the lack of action.  Let's not forget this thread was started in 2018, not as a result of the security incident.

I'm hopeful that will have been the kick the emby team needed to start taking security seriously, but if we're still commenting in this thread at the end of the year perhaps it will be time to find an alternative.

[monkeyfella 2]

Any words on this?

[odeuxcool 8]

The subject is still relevant today,
Security on Emby is extremely lax and almost non-existent on the authentication system.

- No 2FA protection system
- No IP address restrictions or brute force detection
- Etc.

It's really time to move your butt once and for all

[ebr 14918]

3 hours ago, odeuxcool said:

or brute force detection

I believe this is in 4.8.

[GWTPqZp6b 41]

8 hours ago, ebr said:

I believe this is in 4.8.

Emby 4.8 does log AUTH errors so you can fail2ban repeated attempts

2024-01-28 22:32:55.599 Warn Server: AUTH-ERROR: 174.218.82.xxx - Invalid username or password entered.

Edited January 29 by GWTPqZp6b

[rbjtech 4276]

12 hours ago, ebr said:

I believe this is in 4.8.

It is - brute force + notifications of such have been added in 4.8 as I tested and reported back.  Thread here  ..

https://emby.media/community/index.php?/topic/122020-48048-user-auth-brute-force-password-lockout-feedback/#comment-1286522

On 2FA itself - I personally don't see a need as I don't Admin emby remotely (it's disabled) - if I did want to, then I'd be doing it over a secure tunnel anyway.    

Edited January 29 by rbjtech

[odeuxcool 8]

3 hours ago, rbjtech said:

Sur 2FA lui-même - personnellement, je n'en vois pas la nécessité car je n'administre pas l'intégration à distance (il est désactivé) - si je le voulais, je le ferais de toute façon via un tunnel sécurisé.    

I have 15 users located all over France.
The administrator account is not visible on the connection interface, but otherwise yes. it is essential to be able to secure the connection to the user account!
This makes so much sense that I am completely outraged at the neglect of development on this subject!
Just like the notion of automatic IP address blocking after several failed connection attempts!
And not just notify it!

[rbjtech 4276]

1 hour ago, odeuxcool said:

I have 15 users located all over France.
The administrator account is not visible on the connection interface, but otherwise yes. it is essential to be able to secure the connection to the user account!
This makes so much sense that I am completely outraged at the neglect of development on this subject!
Just like the notion of automatic IP address blocking after several failed connection attempts!
And not just notify it!

Perhaps a language issue - but please read the posts above - the IP is being blocked for a time peroid, the notification follows.

[NikolaosG 1]

On 1/28/2024 at 7:57 PM, odeuxcool said:

The subject is still relevant today,
Security on Emby is extremely lax and almost non-existent on the authentication system.

- No 2FA protection system
- No IP address restrictions or brute force detection
- Etc.

It's really time to move your butt once and for all

I am new premiere user and also a plex lifetime member since way back (almost 10 years)...

I am trying out Emby because it's faster on transcoding on my TVs and seems a lot less cluttered than Plex..

This is a serious issue though...

I can't publish any external interface to the Internet without proper modern security features, like mentioned above by odeuxcool...

This should be top priority !

 

[odeuxcool 8]

1 hour ago, NikolaosG said:

I am new premiere user and also a plex lifetime member since way back (almost 10 years)...

I am trying out Emby because it's faster on transcoding on my TVs and seems a lot less cluttered than Plex..

This is a serious issue though...

I can't publish any external interface to the Internet without proper modern security features, like mentioned above by odeuxcool...

This should be top priority !

 

I agree with you !

I don't even understand why this kind of request remains in the background from the developers who manage security!
It's an absolute shame on the part of the Emby team!

I'm sorry, but I get angry when I see the negligence on this subject!

[adrianwi 238]

This is now 6 years old 

[Dreakon13 132]

Skimming through the thread again, I can kinda understand the Emby teams apprehension adding something like this.  And they have explained it a few times already.  I think it's primarily the fact that a lot of people can barely get their environment set up and Emby installed and working successfully without help, no less trying build in too many fallible, external security layers... so they have to weigh the cost of implementing, the many man hours of supporting people who will inevitably run into issues with it through no fault of the software, and the benefit.

Emby, to me, has always seemed like it's very much so in the non-centralized, DIY mindset as far as security goes.  As it should be IMO.  You open up or lock down your server as much as you deem fit.  You can keep it entirely localized if you want.  If you don't want to deal with an HTTPS connection or firewall rules, you can expose Emby insecurely to the entire world if you want to.  If you want to run it securely through a reverse proxy or with an SSL cert and only want to expose it to the IP addresses of a few close family members, you can do that.  Emby can be secure using the tools already available and a little due diligence at the server level.

2FA is just another option but everyone seems to have a different perspective on how much that makes or breaks Emby as far as security goes, and the Emby team has more to weigh as far as the actual workload.

Should note that the recent breach in Emby was mostly the result of people who didn't even have a password on their admin user.  A 2FA option wouldn't have helped them.

Edited February 3 by Dreakon13

[adrianwi 238]

You can't 'open up or lock down your server as much as you deem fit' without the tools to do this.  How many online solutions do you use in 2024 that don't allow the use of MFA?  Most don't force its use, but it is an option for those that want an extra layer of security.  There are no excuses anymore.  Users have been asking for this for over 6 years.  Given the security breach last year, you might have thought the emby team would focus some of their efforts on this, but it would appear not.

[Dreakon13 132]

8 minutes ago, adrianwi said:

Given the security breach last year, you might have thought the emby team would focus some of their efforts on this, but it would appear not.

Again, MFA wouldn't have prevented that.  If some users expose their server to the internet and can't be bothered to even password protect their admin user, they aren't going to enable MFA.

Edited February 3 by Dreakon13

[Q-Droid 650]

32 minutes ago, adrianwi said:

You can't 'open up or lock down your server as much as you deem fit' without the tools to do this.  How many online solutions do you use in 2024 that don't allow the use of MFA?  Most don't force its use, but it is an option for those that want an extra layer of security.  There are no excuses anymore.  Users have been asking for this for over 6 years.  Given the security breach last year, you might have thought the emby team would focus some of their efforts on this, but it would appear not.

Those online solutions, enterprise solutions, are multi-tiered and multi-layered implementations of security, identity, access and directory products/services integrated to present you with a simple button or prompt for login and/or MFA. The Emby dev team may decide in the future to add the option to integrate with such external products but they should not spend time  developing one for this media server. Their time and effort are better spent on improving the core function of Emby.

[rbjtech 4276]

54 minutes ago, adrianwi said:

You can't 'open up or lock down your server as much as you deem fit' without the tools to do this.  How many online solutions do you use in 2024 that don't allow the use of MFA?  Most don't force its use, but it is an option for those that want an extra layer of security.  There are no excuses anymore.  Users have been asking for this for over 6 years.  Given the security breach last year, you might have thought the emby team would focus some of their efforts on this, but it would appear not.

How many of my systems do I allow direct remote admin access ?  Zero - absolutely zero.   If you are serious about security - the only way you should be allowing admin access to internal systems is with tunnels, vpns, etc and reverse proxies - all giving you the option of MFA (which you should take) but the 'tunnel' has nothing to do with emby.

Emby has done a lot of good work on security since the security incident last year - they are correctly building the layers such as notification, brute force detection etc - which all need to be in place before the more advanced stuff such as MFA.     I did a thread on it actually Q4 last year (actually it was a PM to Emby Admin)  - MFA was on the list, so I'm certainly not against it, it just needs to be given a realistic use case with emby.

Edited February 3 by rbjtech