odeuxcool 8 Posted March 12 Posted March 12 Bonjour, Cela ne sert a rien de parler avec eux, la sécurité n'est pas d'actualité chez Emby. C'est franchement abusé mais que voulez-vous, ont fait avec !
bandit8623 132 Posted March 12 Posted March 12 27 minutes ago, amphyvi said: Chipping in to say we definitely need MFA/2FA support. I like bandit8623's idea of restricting it to user accounts & requiring LAN access for admin use. i would say though if 2fa was added then i would say we could allow outside access with admin account. but in current stage with no 2fa its just bad practice to allow admin account to be logged into remotely.
ALLSTAR1986 8 Posted March 13 Posted March 13 What is the current status? I would be in favor of a 2FA when adding new devices and then whitelisting the device if necessary. I have also secured my ASUSTOR NAS with a 2FA. With Emby I already lack this, if someone gains access to my admin account at Emby, they can wipe out my entire Emby server and delete everything! So I would definitely be in favor of a 2FA
raudraido 44 Posted March 14 Posted March 14 11 hours ago, ALLSTAR1986 said: What is the current status? I would be in favor of a 2FA when adding new devices and then whitelisting the device if necessary. I have also secured my ASUSTOR NAS with a 2FA. With Emby I already lack this, if someone gains access to my admin account at Emby, they can wipe out my entire Emby server and delete everything! So I would definitely be in favor of a 2FA Even if Emby had 2FA, please do not consider it as an protection against everything. At least make sure emby has read-only acccess to your library, so even if emby gets compromised, it's not that bad.. If you are running it on windows, consider at least docker, better would be docker on linux.. and so on.
hapylestat 10 Posted March 14 Posted March 14 On 8/25/2022 at 5:48 PM, ebr said: And, just as another point of information - the other guys already have 2FA but that did not stop this attack apparently. This is still a good request. I just don't think it is any kind of "Holy Grail" to any real exposure here since Emby users are spread out among all different Emby instances, rather than a central repository. And is there any SSO/SAML/OIDC in plans, if there no wish to implement 2fa? In such case people would be able to configure it via those providers.
hapylestat 10 Posted March 14 Posted March 14 8 hours ago, raudraido said: Even if Emby had 2FA, please do not consider it as an protection against everything. At least make sure emby has read-only acccess to your library, so even if emby gets compromised, it's not that bad.. If you are running it on windows, consider at least docker, better would be docker on linux.. and so on. Security starts from the network architecture, proper internet router, VLAN's. firewall with support of security zones and then only comes the exposed service isolation itself. But still, security are created from the layers, like onion. And support of 2FA is one of them. 3
raudraido 44 Posted March 15 Posted March 15 On 3/14/2025 at 6:22 PM, hapylestat said: Security starts from the network architecture, proper internet router, VLAN's. firewall with support of security zones and then only comes the exposed service isolation itself. But still, security are created from the layers, like onion. And support of 2FA is one of them. Yes yes, You are correct and I fully support 2FA (or similar) on emby. But the reallity is that this is not going anywhere, meanwhile you still have to secure it.
muzicman0 71 Posted April 28 Posted April 28 Just adding my support for 2fa. Was kinda surprised that it wasn't already available. I have had so many users get phished in the past (not so much emby users, but at my work) that I really hate having anything that doesn't utilize 2fa. With that said, I agree that there has to be a balance between security and convenience. 1
adrianwi 253 Posted April 29 Posted April 29 It still amazes me that 7 years after a pretty important Feature Request, this still hasn't been developed
odeuxcool 8 Posted April 29 Posted April 29 La sécurité n'est pas du tout dans les objectifs de l'équipe. Ils en ont rien à faire et sont déterminés a continuer dans ce sens. Tenez le pour dit avant d'acheter la licence
athinaok 23 Posted April 29 Posted April 29 Come on, Emby team—why is two-factor authentication (2FA) still not implemented? This is a must-have feature, not a luxury. In 2025, it's shocking that a media server platform like Emby still doesn’t support basic security tools like 2FA. Your users have been asking for this for over seven years, and yet there’s been no serious progress or clear communication about it. Security should be a priority, not an afterthought—especially for systems that many of us expose to the public internet. Please take this seriously and let the community know when we can expect 2FA support. 3 3
raudraido 44 Posted April 30 Posted April 30 at this point emby team should close this topic as "NOT GONNA HAPPEN!".
rbjtech 5000 Posted April 30 Posted April 30 1 hour ago, raudraido said: at this point emby team should close this topic as "NOT GONNA HAPPEN!". The fact Emby allow Auth over HTTP (out the box, that's what you get.. ), they do not enforce password strength/entropy, have limited brute force etc - ie the very BASICS of Auth have not yet been made available, even as options - so I'm really not sure why people are expecting 2FA. Yes Emby could maybe try and accomodate 2FA in the Auth API IF you are using https etc - but going along with the Emby philosophy of prioritising functionality that benefits 'normal/mass' users - it would indeed seem unlikely that they would implement 2FA in the near future. Personally, for remote access to Emby Admin (only), I would use a VPN (with 2FA and all the other protections associated with perimeter defense) anyway - there is no way I would have Emby Adminstrative access direct from the Internet via just it's own internal web server even with 2FA...
odeuxcool 8 Posted April 30 Posted April 30 Il serait quand même temps qu'il revoit leur priorité parce que là c'est abusé
rbjtech 5000 Posted April 30 Posted April 30 2 minutes ago, odeuxcool said: Il serait quand même temps qu'il revoit leur priorité parce que là c'est abusé As an Network Security guy - I don't disagree, but again - fix the basics, then move to the more advanced stuff. Fixing https out the box, or password enforcement will benefit more people than implementing 2FA - that's all I'm saying. 1 1
Houfino 36 Posted May 1 Posted May 1 (edited) I am surprised that they don't address 2FA here...Admin(Luke) doesn't care that hackers broke in and he can easily delete the entire Emby server, for example a movie, a serial....I see that we live in prehistoric times and poorer than google.com...A great shame!!!!!! Why don't we add Google Authenticator to Emby?!?!?! The whole world is dangerous because of hackers.....I think Luke doesn't like 2FA and wants to open...Who knows... Edited May 1 by Houfino 1 1
Houfino 36 Posted May 2 Posted May 2 (edited) On 4/28/2025 at 4:40 AM, muzicman0 said: Just adding my support for 2fa. Was kinda surprised that it wasn't already available. I have had so many users get phished in the past (not so much emby users, but at my work) that I really hate having anything that doesn't utilize 2fa. With that said, I agree that there has to be a balance between security and convenience. Hackers paid Luke not to implement two-factor authentication because of Emby... Why did it take so long - 7 years? It's really a shame that we live in 2025 without 2FA...I applaud Facebook, Instagram, Google, Twitter, etc. have 2FA... Edited May 2 by Houfino 2
ebr 15675 Posted May 2 Posted May 2 3 hours ago, Houfino said: Facebook, Instagram, Google, Twitter, etc. have 2FA Just as a point of fact - all of those are centrally-managed services. Emby is YOUR personal server and keeping it that way does require you to take more responsibility for your own service running on your own network. You can not allow Admin access externally if you wish or implement other security measures that will allow it within your security profile. Of course, this is still something we have on our list - it just isn't as simple as what you make it out to be... 2
Painkiller8818 232 Posted May 2 Posted May 2 19 minutes ago, ebr said: Just as a point of fact - all of those are centrally-managed services. Emby is YOUR personal server and keeping it that way does require you to take more responsibility for your own service running on your own network. You can not allow Admin access externally if you wish or implement other security measures that will allow it within your security profile. Of course, this is still something we have on our list - it just isn't as simple as what you make it out to be... Just for example, my Nextcloud is also MY personal Server, but the option of MFA is available. So yes there is more about security and not only MFA but stop telling people there is so much more to care about to make the server secure, just give them the option for MFA. If they don't enable it or can setup the requirements to make it work it is not your fault but this discussion would have an end after 7 years. Thanks 1 1
hapylestat 10 Posted June 11 Posted June 11 (edited) On 5/2/2025 at 4:56 PM, ebr said: Just as a point of fact - all of those are centrally-managed services. Emby is YOUR personal server and keeping it that way does require you to take more responsibility for your own service running on your own network. You can not allow Admin access externally if you wish or implement other security measures that will allow it within your security profile. Of course, this is still something we have on our list - it just isn't as simple as what you make it out to be... could this answer to be treated like - this feature would never happen, use workarounds based on reverse proxy? If yes, then better to give the final answer with arguments why not and just close the topic. Honestly, it would be better than keep people in suspension and being frustrated. Edited June 11 by hapylestat 1
visproduction 285 Posted June 11 Posted June 11 (edited) There were only two mentions of cost, so far, in this discussion. I didn't read every post. Perhaps many people think that added 2f authentication is like ordering a couple pizzas. Here is an estimate from Dec 2024 about one installation for one service. https://messente.com/blog/most-recent/2fa-implementation-costs The total is over $20,000 in Euros from this article. They are, of course, quoting standard development costs for businesses. Maybe someone is willing to work hard, for a discount somewhere. This is really an 'easier said than done' feature. If you consider it has to ideally work across all the Emby platforms and each code is pretty much separate, when you add in-front authentication. Doing the first one makes the others a little easier, but each one requires separate work and separate code. Let's lower the estimate and say that doing 5 platforms might run $50,000 instead of $100,000. Say there is a hundred people who want this. That's working on a feature that will cost $500, per member who wants to use it. How many people would run into trouble and just not use Emby because of this feature, even if there is an obvious opt in, on/off form page? There are some people that don't want this. And some do leave and won't come back. Comparing that other sites, like Facebook have this feature, is sort of amusing. Did you know that Facebook development supposidly hit $1 Billion cost back around 2010? Does anyone have an updated quote? They are sort of hard to find. This is expensive to do and it has to be maintained, bug fixed and updated. I don't think it's worth it. That's my opinion. If you want more security, admin your users. Only give out login info carefully to a limited group of people. If you suspect an issue, turn the user off, until they can explain what's going on. With Emby it's would seem rare to have a lot of users. The licensing limits it anyway. How hard is it to admin the users? If you all can find a better deal out to do this type of custom code development. Fine, who is available for what discounted rate, to work on authentication code for a media server that beats the article pricing estimate? Find them and list them here. I would be interested to see what competitive developers might quote. Is there someone, who posted in this discussion, who could actually do the code development? How much time would you need and what would you charge? Is there a new method to implement 2f more easily, now, in 2025? How about some discussion with details like that, instead of just saying the request for the feature has been going on for so many years? Edited June 11 by visproduction
muzicman0 71 Posted June 11 Posted June 11 There are plenty of open source libraries out there for TOTP and probably even PassKeys. It's not like they have to start from scratch. Your comment on admin your users is a bit naive. No matter how careful you are, if you have users, you have zero control (or maybe very little control) over what they choose as a password. Maybe they re-use passwords (I used to, and still have a lot of old passwords that are reused, and I am a network Engineer). Sites get hacked all the time. My mom has access to my Emby server. As much as I want to trust that she would never do something stupid....well....we all have parents, so enough said. Not to say the 2fa is the gold standard in security, but it is (in my opinion) the very minimum you need in an application to consider it as a secure web app. For now, I am considering moving my server to only be accessible via my Tailscale account (VPN), but that will remove anyone who uses a Roku (currently my father in law and sister in law), as I don't think there is a Roku app for Tailscale. I have done little research though. I am unsure if AppleTV has Tailscale since I have never used one. 1
bandit8623 132 Posted June 11 Posted June 11 1 hour ago, muzicman0 said: There are plenty of open source libraries out there for TOTP and probably even PassKeys. It's not like they have to start from scratch. Your comment on admin your users is a bit naive. No matter how careful you are, if you have users, you have zero control (or maybe very little control) over what they choose as a password. Maybe they re-use passwords (I used to, and still have a lot of old passwords that are reused, and I am a network Engineer). Sites get hacked all the time. My mom has access to my Emby server. As much as I want to trust that she would never do something stupid....well....we all have parents, so enough said. Not to say the 2fa is the gold standard in security, but it is (in my opinion) the very minimum you need in an application to consider it as a secure web app. For now, I am considering moving my server to only be accessible via my Tailscale account (VPN), but that will remove anyone who uses a Roku (currently my father in law and sister in law), as I don't think there is a Roku app for Tailscale. I have done little research though. I am unsure if AppleTV has Tailscale since I have never used one. If you can only access your server via VPN and http locally.. and disable admin access via https what worry do you have ? Really none.. if a user gets hacked they can't delete anything or get into your system still.
muzicman0 71 Posted June 11 Posted June 11 Yes, but in order to put them on my VPN, I am making it so that some users can't access. As stated above.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now