Jump to content

Recommended Posts

odeuxcool
Posted

Bonjour,

Cela ne sert a rien de parler avec eux, la sécurité n'est pas d'actualité chez Emby. C'est franchement abusé mais que voulez-vous, ont fait avec !

bandit8623
Posted
27 minutes ago, amphyvi said:

Chipping in to say we definitely need MFA/2FA support. I like bandit8623's idea of restricting it to user accounts & requiring LAN access for admin use.

i would say though if 2fa was added then i would say we could allow outside access with admin account.    but in current stage with no 2fa its just bad practice to allow admin account to be logged into remotely.

ALLSTAR1986
Posted

What is the current status? I would be in favor of a 2FA when adding new devices and then whitelisting the device if necessary. I have also secured my ASUSTOR NAS with a 2FA. With Emby I already lack this, if someone gains access to my admin account at Emby, they can wipe out my entire Emby server and delete everything! So I would definitely be in favor of a 2FA

raudraido
Posted
11 hours ago, ALLSTAR1986 said:

What is the current status? I would be in favor of a 2FA when adding new devices and then whitelisting the device if necessary. I have also secured my ASUSTOR NAS with a 2FA. With Emby I already lack this, if someone gains access to my admin account at Emby, they can wipe out my entire Emby server and delete everything! So I would definitely be in favor of a 2FA

Even if Emby had 2FA, please do not consider it as an protection against everything. At least make sure emby has read-only acccess to your library, so even if emby gets compromised, it's not that bad..

If you are running it on windows, consider at least docker, better would be docker on linux.. and so on.

hapylestat
Posted
On 8/25/2022 at 5:48 PM, ebr said:

And, just as another point of information - the other guys already have 2FA but that did not stop this attack apparently.

This is still a good request.  I just don't think it is any kind of "Holy Grail" to any real exposure here since Emby users are spread out among all different Emby instances, rather than a central repository.

And is there any SSO/SAML/OIDC in plans, if there no wish to implement 2fa? In such case people would be able to configure it via those providers.

hapylestat
Posted
8 hours ago, raudraido said:

Even if Emby had 2FA, please do not consider it as an protection against everything. At least make sure emby has read-only acccess to your library, so even if emby gets compromised, it's not that bad..

If you are running it on windows, consider at least docker, better would be docker on linux.. and so on.

Security starts from the network architecture, proper internet router, VLAN's. firewall with support of security zones and then only comes the exposed service isolation itself.

But still, security are created from the layers, like onion. And support of 2FA is one of them.

  • Like 3
raudraido
Posted
On 3/14/2025 at 6:22 PM, hapylestat said:

Security starts from the network architecture, proper internet router, VLAN's. firewall with support of security zones and then only comes the exposed service isolation itself.

But still, security are created from the layers, like onion. And support of 2FA is one of them.

Yes yes, You are correct and I fully support 2FA (or similar) on emby.
But the reallity is that this is not going anywhere, meanwhile you still have to secure it.

  • 1 month later...
muzicman0
Posted

Just adding my support for 2fa.  Was kinda surprised that it wasn't already available.  I have had so many users get phished in the past (not so much emby users, but at my work) that I really hate having anything that doesn't utilize 2fa.  With that said, I agree that there has to be a balance between security and convenience.  

  • Like 1
adrianwi
Posted

It still amazes me that 7 years after a pretty important Feature Request, this still hasn't been developed 😕

odeuxcool
Posted

La sécurité n'est pas du tout dans les objectifs de l'équipe. Ils en ont rien à faire et sont déterminés a continuer dans ce sens. Tenez le pour dit avant d'acheter la licence

athinaok
Posted

Come on, Emby team—why is two-factor authentication (2FA) still not implemented?

This is a must-have feature, not a luxury. In 2025, it's shocking that a media server platform like Emby still doesn’t support basic security tools like 2FA. Your users have been asking for this for over seven years, and yet there’s been no serious progress or clear communication about it.

Security should be a priority, not an afterthought—especially for systems that many of us expose to the public internet. Please take this seriously and let the community know when we can expect 2FA support.

  • Like 3
  • Agree 3
raudraido
Posted

at this point emby team should close this topic as "NOT GONNA HAPPEN!".

rbjtech
Posted
1 hour ago, raudraido said:

at this point emby team should close this topic as "NOT GONNA HAPPEN!".

The fact Emby allow Auth over HTTP (out the box, that's what you get.. ), they do not enforce password strength/entropy, have limited brute force etc - ie the very BASICS of Auth have not yet been made available, even as options - so I'm really not sure why people are expecting 2FA.

Yes Emby could maybe try and accomodate 2FA in the Auth API IF you are using https etc - but going along with the Emby philosophy of prioritising functionality that benefits 'normal/mass' users - it would indeed seem unlikely that they would implement 2FA in the near future.

Personally, for remote access to Emby Admin (only), I would use a VPN (with 2FA and all the other protections associated with perimeter defense) anyway - there is no way I would have Emby Adminstrative access direct from the Internet via just it's own internal web server even with 2FA...

odeuxcool
Posted

Il serait quand même temps qu'il revoit leur priorité parce que là c'est abusé

rbjtech
Posted
2 minutes ago, odeuxcool said:

Il serait quand même temps qu'il revoit leur priorité parce que là c'est abusé

As an Network Security guy - I don't disagree, but again - fix the basics, then move to the more advanced stuff.  Fixing https out the box, or password enforcement will benefit more people than implementing 2FA - that's all I'm saying. :)

  • Like 1
  • Agree 1
Houfino
Posted (edited)

I am surprised that they don't address 2FA here...Admin(Luke) doesn't care that hackers broke in and he can easily delete the entire Emby server, for example a movie, a serial....I see that we live in prehistoric times and poorer than google.com...A great shame!!!!!! Why don't we add Google Authenticator to Emby?!?!?! The whole world is dangerous because of hackers.....I think Luke doesn't like 2FA and wants to open...Who knows...



 

Edited by Houfino
  • Confused 1
  • Thanks 1
Houfino
Posted (edited)
On 4/28/2025 at 4:40 AM, muzicman0 said:

Just adding my support for 2fa.  Was kinda surprised that it wasn't already available.  I have had so many users get phished in the past (not so much emby users, but at my work) that I really hate having anything that doesn't utilize 2fa.  With that said, I agree that there has to be a balance between security and convenience.  

Hackers paid Luke not to implement two-factor authentication because of Emby... Why did it take so long - 7 years? It's really a shame that we live in 2025 without 2FA...I applaud

Facebook, Instagram, Google, Twitter, etc. have 2FA...
 

Edited by Houfino
  • Facepalm 2
Posted
3 hours ago, Houfino said:

Facebook, Instagram, Google, Twitter, etc. have 2FA

Just as a point of fact - all of those are centrally-managed services.

Emby is YOUR personal server and keeping it that way does require you to take more responsibility for your own service running on your own network.  You can not allow Admin access externally if you wish or implement other security measures that will allow it within your security profile.

Of course, this is still something we have on our list - it just isn't as simple as what you make it out to be...

  • Like 2
Painkiller8818
Posted
19 minutes ago, ebr said:

Just as a point of fact - all of those are centrally-managed services.

Emby is YOUR personal server and keeping it that way does require you to take more responsibility for your own service running on your own network.  You can not allow Admin access externally if you wish or implement other security measures that will allow it within your security profile.

Of course, this is still something we have on our list - it just isn't as simple as what you make it out to be...

Just for example, my Nextcloud is also MY personal Server, but the option of MFA is available. So yes there is more about security and not only MFA but stop telling people there is so much more to care about to make the server secure, just give them the option for MFA.

If they don't enable it or can setup the requirements to make it work it is not your fault but this discussion would have an end after 7 years.

Thanks

  • Agree 1
  • Thanks 1
  • 1 month later...
Wouter.Vdm
Posted

Just adding my support for 2fa

hapylestat
Posted (edited)
On 5/2/2025 at 4:56 PM, ebr said:

Just as a point of fact - all of those are centrally-managed services.

Emby is YOUR personal server and keeping it that way does require you to take more responsibility for your own service running on your own network.  You can not allow Admin access externally if you wish or implement other security measures that will allow it within your security profile.

Of course, this is still something we have on our list - it just isn't as simple as what you make it out to be...

could this answer to be treated like - this feature would never happen,  use workarounds based on reverse proxy? If yes, then better to give the final answer with arguments why not and just close the topic. 

Honestly, it would be better than keep people in suspension and being frustrated.
 

Edited by hapylestat
  • Agree 1
visproduction
Posted (edited)

There were only two mentions of cost, so far, in this discussion.  I didn't read every post.  Perhaps many people think that added 2f authentication is like ordering a couple pizzas.  Here is an estimate from Dec 2024 about one installation for one service.  https://messente.com/blog/most-recent/2fa-implementation-costs

The total is over $20,000 in Euros from this article.  They are, of course, quoting standard development costs for businesses.  Maybe someone is willing to work hard, for a discount somewhere.  This is really an 'easier said than done' feature.  If you consider it has to ideally work across all the Emby platforms and each code is pretty much separate, when you add in-front authentication.  Doing the first one makes the others a little easier, but each one requires separate work and separate code. Let's lower the estimate and say that doing 5 platforms might run $50,000 instead of $100,000.  Say there is a hundred people who want this.  That's working on a feature that will cost $500, per member who wants to use it.  How many people would run into trouble and just not use Emby because of this feature, even if there is an obvious opt in, on/off form page?  There are some people that don't want this. And some do leave and won't come back.

Comparing that other sites, like Facebook have this feature, is sort of amusing.  Did you know that Facebook development supposidly hit $1 Billion cost back around 2010?  Does anyone have an updated quote?  They are sort of hard to find.

This is expensive to do and it has to be maintained, bug fixed and updated.  I don't think it's worth it.  That's my opinion. 

If you want more security, admin your users. Only give out login info carefully to a limited group of people.  If you suspect an issue, turn the user off, until they can explain what's going on.  With Emby it's would seem rare to have a lot of users.  The licensing limits it anyway. How hard is it to admin the users?

If you all can find a better deal out to do this type of custom code development.  Fine, who is available for what discounted rate, to work on authentication code for a media server that beats the article pricing estimate?  Find them and list them here. I would be interested to see what competitive developers might quote.  Is there someone, who posted in this discussion, who could actually do the code development?  How much time would you need and what would you charge?  Is there a new method to implement 2f more easily, now, in 2025?  How about some discussion with details like that, instead of just saying the request for the feature has been going on for so many years?  

 

 

Edited by visproduction
muzicman0
Posted

There are plenty of open source libraries out there for TOTP and probably even PassKeys.  It's not like they have to start from scratch.  

Your comment on admin your users is a bit naive.  No matter how careful you are, if you have users, you have zero control (or maybe very little control) over what they choose as a password.  Maybe they re-use passwords (I used to, and still have a lot of old passwords that are reused, and I am a network Engineer).  Sites get hacked all the time.  My mom has access to my Emby server.  As much as I want to trust that she would never do something stupid....well....we all have parents, so enough said.

Not to say the 2fa is the gold standard in security, but it is (in my opinion) the very minimum you need in an application to consider it as a secure web app.  

For now, I am considering moving my server to only be accessible via my Tailscale account (VPN), but that will remove anyone who uses a Roku (currently my father in law and sister in law), as I don't think there is a Roku app for Tailscale.  I have done little research though.  I am unsure if AppleTV has Tailscale since I have never used one.

  • Like 1
bandit8623
Posted
1 hour ago, muzicman0 said:

There are plenty of open source libraries out there for TOTP and probably even PassKeys.  It's not like they have to start from scratch.  

Your comment on admin your users is a bit naive.  No matter how careful you are, if you have users, you have zero control (or maybe very little control) over what they choose as a password.  Maybe they re-use passwords (I used to, and still have a lot of old passwords that are reused, and I am a network Engineer).  Sites get hacked all the time.  My mom has access to my Emby server.  As much as I want to trust that she would never do something stupid....well....we all have parents, so enough said.

Not to say the 2fa is the gold standard in security, but it is (in my opinion) the very minimum you need in an application to consider it as a secure web app.  

For now, I am considering moving my server to only be accessible via my Tailscale account (VPN), but that will remove anyone who uses a Roku (currently my father in law and sister in law), as I don't think there is a Roku app for Tailscale.  I have done little research though.  I am unsure if AppleTV has Tailscale since I have never used one.

If you can only access your server via VPN and http locally.. and disable admin access via https what worry do you have ?  

Really none.. if a user gets hacked they can't delete anything or get into your system still.

muzicman0
Posted

Yes, but in order to put them on my VPN, I am making it so that some users can't access. As stated above. 

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...