Jump to content

2-Factor Authentication (2FA)


xorinzor

Recommended Posts

I think most websites will start to offer 2FA over the coming years, but it should be optional for most users and certainly something the admin user can control with emby.

Link to comment
Share on other sites

I thought about this more last night, and although I still really like the idea...

 

I fear that the best way for Emby to implement this would probably be through Emby Connect, and I'm not sure I want to use that. Otherwise... each individual server would have to run it's own type of TOTP server. I'm not sure how easy that is to accomplish.

Link to comment
Share on other sites

I thought about this more last night, and although I still really like the idea...

 

I fear that the best way for Emby to implement this would probably be through Emby Connect, and I'm not sure I want to use that. Otherwise... each individual server would have to run it's own type of TOTP server. I'm not sure how easy that is to accomplish.

You can use Google for this pretty easily just like OpenVPN does.

Link to comment
Share on other sites

Remember the challenge here is, how will it work for all apps, not just some of them. So hopefully the feature request is taking that into consideration. Thanks !

Link to comment
Share on other sites

We have some major changes planned for Emby Connect for Q1 of this year that will solve a lot of it's current problems. We're not announcing anything yet, but it would probably be best to request this in a way that doesn't involve Emby Connect, or the use of any centralized server of ours. So it needs to be something privately managed by each Emby Server, which is what most of you seem to want anyway.

  • Like 4
Link to comment
Share on other sites

What's wrong with using Emby Connect? Genuine question.

 

Nothing is wrong with it per se. Some admins just prefer not to use it... instead, I have my users (very few) connect to my own custom domain.  I would like to keep it that way.

 

We have some major changes planned for Emby Connect for Q1 of this year that will solve a lot of it's current problems. We're not announcing anything yet, but it would probably be best to request this in a way that doesn't involve Emby Connect, or the use of any centralized server of ours. So it needs to be something privately managed by each Emby Server, which is what most of you seem to want anyway.

 

Yes agreed on all points. 

 

That was the point I was trying to make... it was a fear, not a request.  I'm glad this is the current thought.

  • Like 1
Link to comment
Share on other sites

Nothing is wrong with it per se. Some admins just prefer not to use it... instead, I have my users (very few) connect to my own custom domain.  I would like to keep it that way.

 

 

Yes agreed on all points. 

 

That was the point I was trying to make... it was a fear, not a request.  I'm glad this is the current thought.

 

100% Agree! I don't want my server tied into a cloud service even for authentication. Custom domain & locally managed users are the reason I moved to Emby from Plex!

Link to comment
Share on other sites

What's wrong with using Emby Connect? Genuine question.

 

Technically nothing, but having a choice of two login options is a constant source of confusion that we have to explain, support and troubleshoot every single day.

Link to comment
Share on other sites

Actually if it's operational on the Server then it would be required using either direct connect or Emby Connect since the server isn't going to allow it in without the 2FA.

Link to comment
Share on other sites

Here are some of the things you need to figure out and answer:

Do you want an option so it only requires 2FA for admin work? (this is how I'd consider using it)

 

Do you want this to work per DEVICE, per USER.  There can be a slight difference.  For example if John has already authenticated on the device but has access to quick login of other users do we need to again 2FA the new person?

 

Should this work for IP or for device/user?  If a person passes 2FA in THEIR own home LAN (we'll see it as 1 IP address) do we need to authenticate every other login attempt from that 1 IP?

 

Is the 2FA needed at every login or every X days?

 

Is the 2FA going to be only for new device setups?

 

Do you want a WHITE LIST of IPs that can be entered where 2FA is not needed. (internal lan, work lan, parents house, etc)

 

I could go on with questions, but if we had specific REASONS to use 2FA it would make it much easier to put specs together for it's functionality.

Link to comment
Share on other sites

At the moment I am using a self-hosted domain, and have Emby Connect users added to my server (as in, sent the invitations out, accepted, etc - not created the users on the server myself).

 

I don't have an issue with using my domain instead of Emby Connect, but have got a question. The external users can visit my domain and login using their Emby Connect credentials - how does this work? Does my server contact Emby's servers to check the login details? Or is the username and password transferred to my server on adding the Connect user and everything is done on my server from then on?

Link to comment
Share on other sites

You setup one user account on your own system for each user.  You then attach their Emby Connect username to your local name.

 

So for example you could have me setup on your server as "Carlo".  Luke could have me set up as "CarloAyars", ebr could have me setup as "cayars", CBers could have me setup as "WackoCarlo" :).  But each would attach my "cayars" emby connect username to the account they created for me.

 

The beauty of this is that when users create Emby Connect usernames like "DudeThatRocksSnowBoarding" which is meaningless to you as the "connect name" it won't matter once you associate the crazy name to your local name YOU CONTROL on your server.  You'll see me as the local name and know who I am.

Link to comment
Share on other sites

From the user standpoint they don't need to worry about the account name used on each server, nor do they have to login to each server.  The end user only has to remember their Emby Connect username.  When they login via Connect they get access to all server that are running.

 

So this has advantages for both the server administrator and for users who have access to multiple servers (one login).

 

Make sense?

Link to comment
Share on other sites

Yeah I get the potential to set custom user names, but I didn't add a server user and then assign the Connect account to it, I selected + to add a user and then selected "Invite with Emby Connect", entered their Connect username and sent the invite. I have not set a password for them, neither can I set anything on the Password page (where you'd normally either change a local server user's password or add an easy PIN), it's just blank. So how does my server check their password at login? Surely it would have to contact Emby's servers to check the Connect credentials?

 

My users are not currently logging in via Connect (i.e. app.emby.media), they are using my domain and manually entering Connect credentials (I don't have any users listed to select from so as to force manual login).

Edited by notla49285
Link to comment
Share on other sites

Suffice it to say that this is just not an easy add.  We understand the request but not only will this be fairly complex to add but it will also add another (highly likely) point of failure possibility to the connection workflow.  Connectivity problems are probably our number one issue we spend time helping people with and they are very difficult because they involve individual configuration in each person's personal environment.  This just adds to that.

 

Not saying we won't do this.  Just saying it has to be done very carefully and it won't be overnight :).

  • Like 3
Link to comment
Share on other sites

Don't know if you guys have seen this or not:

 

CNBC article on why you can't relax using 2FA and how it can be exploited.

https://www.cnbc.com/2019/01/04/how-secure-is-your-account-two-factor-authentication-may-be-hackable.html

 

Interesting read but nothing new. 

 

 

According to Mitnick, the attack begins when a cybercriminal sends an email that looks real, and asks the receiver to click on a link.

Once the user clicks on the link, they are directed to log into the real website, including entering the code sent to their cellphone. Secretly, however, the log in went through the hacker's server and they were able to get the session cookie, the expert explained.

"If we can steal the user session cookie, we could become them, and we don't need their username, their password, or their two-factor," Mitnick said.

 

This is the same spiel that always comes from Mitnick. That in any computer system, people are always the weak link. Something to be aware of at the least.

  • Like 2
Link to comment
Share on other sites

Social Engineering (hacking a system by manipulating people) will always be a concern. Don't open emails regarding account issues if you didn't already right then expect it. Browse directly to the URL of the site in question and handle it there.

 

Also, 2FA with an authenticator app is more secure than 2FA via text.

 

Indeed, these things are nothing new, and quite frankly should be common sense.

  • Like 3
Link to comment
Share on other sites

  • 1 month later...

I’d love to see 2fa working with Authy, could you use this as the pin? Means that the pin would be unique everytimr you log in and it wouldn’t matter if anybody saw you enter it or if it appeared on screen unobfuscated because it will only work the one time and for the duration that the code is valid.

Link to comment
Share on other sites

  • 5 months later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...