Happy2Play 9140 Posted July 4, 2024 Posted July 4, 2024 10 minutes ago, bandit8623 said: im actually the opposite. if a site i like doesnt have 2fa i avoid it. depending on how much personal info is on there. where 2fa does help is if a general password doed get breached... the person with the breached pass or the means to brute force cant get in with 2fa. example why openvpn uses it for truly good security. I see the advantages, but I see it being a hindrance for the majority of users also. As those elderly parents will be complaining to you the admin even more. As things will happen that force reauthentication.
bandit8623 84 Posted July 4, 2024 Posted July 4, 2024 (edited) 5 minutes ago, Happy2Play said: I see the advantages, but I see it being a hindrance for the majority of users also. As those elderly parents will be complaining to you the admin even more. As things will happen that force reauthentication. i dont think this 2fa is directed towards the end users. example the grandparents or other users with no real admin access. from what i understand only the admin accounts should have 2fa. i personally dont care much if someone hacks one of my users and can watch some shows. my users have no admin rights and cant edit or delete anything. if i notice weird things as admin i can force change passes. Edited July 4, 2024 by bandit8623 2
Happy2Play 9140 Posted July 4, 2024 Posted July 4, 2024 Just now, bandit8623 said: i dont think this 2fa is directed towards the end users. from what i understand the admin accounts should have 2fa. i personally dont care much if someone hacks one of my users and can wat7ch some shows. my users have no admin rights and cant edit or delete anything. if i notice weird things as admin i can force change passes. Okay yes from an admin only standpoint that changes things. 1 1
rbjtech 4806 Posted July 4, 2024 Posted July 4, 2024 As the apps are using token based logins now, a OTP (MFA) 'could' be ultilised on the first login on a new device only to get the token. This I have no issues with - and it would also limit 'sharing' of accounts. But agree, the main use case is for the Admin accounts for those that want to ignore good practice and expose their admin account to the internet ... 2
Painkiller8818 217 Posted July 4, 2024 Posted July 4, 2024 (edited) I still wonder why i see all kinds of "but and excuses" statements instead of giving users the ABILITY to have MFA. All i see is "but it does not make your server more secure, etc." Just give users and Admins the OPTION to use MFA, as long as Emby is not a managed service and is doing all the maintenance for the linux or windows servers etc. people are using, this is nothing you have to bother about. When someone has a microsoft Entra Tenant, microsoft is not responsible for any misconfigurations if you have the wrong sharing options or not using conditional access etc. Why are you trying to make people feel like you do a full managed service and you need to ensure they have secure environment? You give people a program to host their own media server, nothing more, you are not managing my security or something else. If people forget their password or just use 12345 as a password, this is nothing you have to bother. Just give us the option out of the box, to enable MFA for those who wants it. No needs to discuss the whole 7 OSI Layers and security. Thanks Edited July 4, 2024 by Painkiller8818 3
rbjtech 4806 Posted July 4, 2024 Posted July 4, 2024 13 minutes ago, Painkiller8818 said: I still wonder why i see all kinds of "but and excuses" statements instead of giving users the ABILITY to have MFA. All i see is "but it does not make your server more secure, etc." Just give users and Admins the OPTION to use MFA, as long as Emby is not a managed service and is doing all the maintenance for the linux or windows servers etc. people are using, this is nothing you have to bother about. When someone has a microsoft Entra Tenant, microsoft is not responsible for any misconfigurations if you have the wrong sharing options or not using conditional access etc. Why are you trying to make people feel like you do a full managed service and you need to ensure they have secure environment? You give people a program to host their own media server, nothing more, you are not managing my security or something else. If people forget their password or just use 12345 as a password, this is nothing you have to bother. Just give us the option out of the box, to enable MFA for those who wants it. No needs to discuss the whole 7 OSI Layers and security. Thanks MFA over http, there's a novel idea .. 2
Q-Droid 827 Posted July 4, 2024 Posted July 4, 2024 MFA/2FA is not one thing. There are multiple options, multiple methods and multiple platforms to offer all of the above. Each requiring a different implementation. Thirteen pages into this thread just for the discussion to do it or not do it. How many more pages will it take to argue about which or how many of the MFA methods/options/platforms should be implemented? 2
Painkiller8818 217 Posted July 5, 2024 Posted July 5, 2024 19 hours ago, rbjtech said: MFA over http, there's a novel idea .. Hm, i might have missed the part where i wrote to enable MFA over http, but instead spending all energy in trying to make this request rediculous we could just try to find solutions to get it working. So just make requirements and grey out the MFA option if not using HTTPS, problem solved, next. 1
rbjtech 4806 Posted July 5, 2024 Posted July 5, 2024 1 hour ago, Painkiller8818 said: Hm, i might have missed the part where i wrote to enable MFA over http, but instead spending all energy in trying to make this request rediculous we could just try to find solutions to get it working. So just make requirements and grey out the MFA option if not using HTTPS, problem solved, next. Why not spend that same energy to implement password entropy checks, or how about some https wizards/integration from certificate providers/lets encrypt. This will benefit the masses 'out the box' and enhance the security profile for all users, not just those that already have https and frankly those that likely already have a RP in place, decent passwords and a basic understanding of what cyber security is. Emby need to build a more secure base product - not prioritise time integrating something that cannot even be used with their base product... Once the base product has the bare security essentials, then add MFA - nobody has ever said it was a poor idea. 1 3
Q-Droid 827 Posted July 5, 2024 Posted July 5, 2024 7 hours ago, rbjtech said: Emby need to build a more secure base product - not prioritise time integrating something that cannot even be used with their base product... Once the base product has the bare security essentials, then add MFA - nobody has ever said it was a poor idea. Yep. There are very basic things the dev team could do in the core to check and guide users to better security. Minor changes to settings and behavior can make a big difference in overall security. None of it would need external components or interfaces. What they choose to add after would be a cherry on top.
bandit8623 84 Posted July 5, 2024 Posted July 5, 2024 14 hours ago, rbjtech said: Why not spend that same energy to implement password entropy checks, or how about some https wizards/integration from certificate providers/lets encrypt. This will benefit the masses 'out the box' and enhance the security profile for all users, not just those that already have https and frankly those that likely already have a RP in place, decent passwords and a basic understanding of what cyber security is. Emby need to build a more secure base product - not prioritise time integrating something that cannot even be used with their base product... Once the base product has the bare security essentials, then add MFA - nobody has ever said it was a poor idea. I disagree on password checks... choice on some things are nice. Again just don't allow admin login from the internet.. this is why emby doesn't want to step in because there will always be someone upset over a new change.just allow 2fa on admin accounts. All we need. 1
nicholas_davies 15 Posted July 7, 2024 Posted July 7, 2024 How is there not 2FA yet? That's ridiculous, there should at least be that option 4
Megumin 2 Posted July 20, 2024 Posted July 20, 2024 I agree with nicholas_davies, it's 2024 and the fact that there is not a single MFA option yet is ridiculous. Someone mentioned that it wouldn't work over http, well then just disable it for http and make it a require https. Any kind of MFA is better then no MFA. 2
brezlord 6 Posted August 18, 2024 Posted August 18, 2024 This feature should be a top priority in 2024. Anything exposed to the net should have 2FA. When will this basic feature be coming? Is there a road map? I'm in the process of moving over from Plex and this is the most important feature that is missing for me.
Happy2Play 9140 Posted August 18, 2024 Posted August 18, 2024 (edited) 1 hour ago, brezlord said: When will this basic feature be coming? Is there a road map? Features and roadmaps are really never discussed. Personally, would never want this on a USER account. But I guess if you never have to reauthenticate like now a one time 2FA would I guess be fine but never if it where every time I opened a app. Edited August 18, 2024 by Happy2Play
brezlord 6 Posted August 18, 2024 Posted August 18, 2024 With Plex it is only required once when you initially logged in if you decided to enable 2FA. It should be a per user selection and it should be recommended with any account that has admin privileges. With it being optional, those that don't want it can choose to run without the added layer of security. Currently I have an admin account that is restricted to local access only and user accounts have no admin privileges. It is however in today's threat landscape best practice to enable 2FA on all accounts are at least give the option to do so.
bandit8623 84 Posted August 18, 2024 Posted August 18, 2024 (edited) 1 hour ago, brezlord said: This feature should be a top priority in 2024. Anything exposed to the net should have 2FA. When will this basic feature be coming? Is there a road map? I'm in the process of moving over from Plex and this is the most important feature that is missing for me. As an admin i dont want to have to explain and setup up 2fa for my users. its going to be a headache. now i im ok with the option to use it for sure!!. i dont allow my admin account access to the web so i dont see this as a OMG we need this now thing. if you are exposing your admin account to the web you are doing it wrong. if a regular user of yours get hacked whats going to happen? nothing they have no access to change anything. Edited August 18, 2024 by bandit8623 1
bandit8623 84 Posted August 18, 2024 Posted August 18, 2024 you should only have admin access to the local lan. use a vpn back to your home router if you really need to manage the server when away from home. create a secondary non admin to use when away. 1
rbjtech 4806 Posted August 18, 2024 Posted August 18, 2024 5 hours ago, brezlord said: It is however in today's threat landscape best practice to enable 2FA on all accounts are at least give the option to do so. 'Out the box' embys view is their softwares gateway to your home network can be used over http and have a password of any complexity - its only recently that you had to have any password at all on your admin account - but that password can still be 'a' and it will be allowed. 2/mfa is at this stage a LONG way off imo but I don't personally consider it essential either if you simply follow best practice on using a decent length unique password over https and restrict admin to lan only. Allowing emby admin to the net is like enabling your router admin to the net, you simply do nkt do that, even with mfa. Totally agree that mfa is a safety net for breeched passwords but for a media server admin account that should not be open to the net anyway, for me personally its not required - there are a LOT more basic security practices they need to implement or interface with before this. 2
RudyOppers 0 Posted September 8, 2024 Posted September 8, 2024 On 8/18/2024 at 8:23 AM, rbjtech said: 'Out the box' embys view is their softwares gateway to your home network can be used over http and have a password of any complexity - its only recently that you had to have any password at all on your admin account - but that password can still be 'a' and it will be allowed. I just tried on my system. I can create users and admins who can connect from a remote location that have no password. I'm running the latest docker version. I tried this a few times because i really did not believe this. It was also possible to connect from WAN and remove my password. Nice....... I don't think i will trust emby's auth mechanisms any time soon Seeing that this thread started in January of 2018 and we are now in September 2024 with 0 improvements as far as i can tell to any of the raised security issues, i don't think security has any priority for the folks at Emby
Neminem 684 Posted September 8, 2024 Posted September 8, 2024 (edited) 31 minutes ago, RudyOppers said: I just tried on my system. I can create users and admins who can connect from a remote location that have no password. I'm running the latest docker version. I tried this a few times because i really did not believe this. It was also possible to connect from WAN and remove my password. As long as Emby will not FORCE admins to use a password. I do not see this happening. tbh, why is zeroing out a password even allowed. How is this FR ever going to happen if this is allowed ¯\_(ツ)_/¯ Edited September 8, 2024 by JayceDK
bandit8623 84 Posted September 8, 2024 Posted September 8, 2024 (edited) Not sure why you guys want emby to be more like big brother? dont be a moron and blank out passwords... choice is a good thing. let me guess next you will want users to be forced to change passwords every 3 months.... Edited September 8, 2024 by bandit8623
AngelSing 27 Posted November 25, 2024 Posted November 25, 2024 Yes, it would be a good idea, but I’d prefer it to be implemented per user rather than per server. This is because some users might not want this additional layer of protection, while others might find it useful. Therefore, it should be a configurable option based on each user’s preference, allowing them to enable or disable it as they see fit. 1
adrianwi 250 Posted November 29, 2024 Posted November 29, 2024 This feature request will be 7 years old in less than 2 months —SEVEN!!! and with 13 pages of comments. What is the point of the feature request forum? 1 1
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now