BAlGaInTl 279 Posted January 10, 2019 Posted January 10, 2019 +1 I'll throw my hat in on this. I think it would be good.
adrianwi 252 Posted January 10, 2019 Posted January 10, 2019 I think most websites will start to offer 2FA over the coming years, but it should be optional for most users and certainly something the admin user can control with emby.
BAlGaInTl 279 Posted January 10, 2019 Posted January 10, 2019 I thought about this more last night, and although I still really like the idea... I fear that the best way for Emby to implement this would probably be through Emby Connect, and I'm not sure I want to use that. Otherwise... each individual server would have to run it's own type of TOTP server. I'm not sure how easy that is to accomplish.
Carlo 4543 Posted January 10, 2019 Posted January 10, 2019 I thought about this more last night, and although I still really like the idea... I fear that the best way for Emby to implement this would probably be through Emby Connect, and I'm not sure I want to use that. Otherwise... each individual server would have to run it's own type of TOTP server. I'm not sure how easy that is to accomplish. You can use Google for this pretty easily just like OpenVPN does.
Luke 39617 Posted January 10, 2019 Posted January 10, 2019 Remember the challenge here is, how will it work for all apps, not just some of them. So hopefully the feature request is taking that into consideration. Thanks !
notla49285 46 Posted January 10, 2019 Posted January 10, 2019 What's wrong with using Emby Connect? Genuine question.
Luke 39617 Posted January 10, 2019 Posted January 10, 2019 We have some major changes planned for Emby Connect for Q1 of this year that will solve a lot of it's current problems. We're not announcing anything yet, but it would probably be best to request this in a way that doesn't involve Emby Connect, or the use of any centralized server of ours. So it needs to be something privately managed by each Emby Server, which is what most of you seem to want anyway. 4
Salnt23 4 Posted January 10, 2019 Posted January 10, 2019 Non-centralized options would be preferable. Could be as simple as integrating a third party like Duo, https://duo.com/docs/duoweb, Authy, or Google Authenticator/GoogleAuth to perform the function. 2
BAlGaInTl 279 Posted January 11, 2019 Posted January 11, 2019 What's wrong with using Emby Connect? Genuine question. Nothing is wrong with it per se. Some admins just prefer not to use it... instead, I have my users (very few) connect to my own custom domain. I would like to keep it that way. We have some major changes planned for Emby Connect for Q1 of this year that will solve a lot of it's current problems. We're not announcing anything yet, but it would probably be best to request this in a way that doesn't involve Emby Connect, or the use of any centralized server of ours. So it needs to be something privately managed by each Emby Server, which is what most of you seem to want anyway. Yes agreed on all points. That was the point I was trying to make... it was a fear, not a request. I'm glad this is the current thought. 1
Jacob_B 1 Posted January 11, 2019 Posted January 11, 2019 Nothing is wrong with it per se. Some admins just prefer not to use it... instead, I have my users (very few) connect to my own custom domain. I would like to keep it that way. Yes agreed on all points. That was the point I was trying to make... it was a fear, not a request. I'm glad this is the current thought. 100% Agree! I don't want my server tied into a cloud service even for authentication. Custom domain & locally managed users are the reason I moved to Emby from Plex! 1
Luke 39617 Posted January 11, 2019 Posted January 11, 2019 What's wrong with using Emby Connect? Genuine question. Technically nothing, but having a choice of two login options is a constant source of confusion that we have to explain, support and troubleshoot every single day.
Carlo 4543 Posted January 11, 2019 Posted January 11, 2019 Actually if it's operational on the Server then it would be required using either direct connect or Emby Connect since the server isn't going to allow it in without the 2FA.
Spaceboy 2565 Posted January 11, 2019 Posted January 11, 2019 I only use emby connect because it is required for the Alexa integration. Otherwise I much prefer to use my own domain
Carlo 4543 Posted January 11, 2019 Posted January 11, 2019 Here are some of the things you need to figure out and answer: Do you want an option so it only requires 2FA for admin work? (this is how I'd consider using it) Do you want this to work per DEVICE, per USER. There can be a slight difference. For example if John has already authenticated on the device but has access to quick login of other users do we need to again 2FA the new person? Should this work for IP or for device/user? If a person passes 2FA in THEIR own home LAN (we'll see it as 1 IP address) do we need to authenticate every other login attempt from that 1 IP? Is the 2FA needed at every login or every X days? Is the 2FA going to be only for new device setups? Do you want a WHITE LIST of IPs that can be entered where 2FA is not needed. (internal lan, work lan, parents house, etc) I could go on with questions, but if we had specific REASONS to use 2FA it would make it much easier to put specs together for it's functionality.
notla49285 46 Posted January 11, 2019 Posted January 11, 2019 At the moment I am using a self-hosted domain, and have Emby Connect users added to my server (as in, sent the invitations out, accepted, etc - not created the users on the server myself). I don't have an issue with using my domain instead of Emby Connect, but have got a question. The external users can visit my domain and login using their Emby Connect credentials - how does this work? Does my server contact Emby's servers to check the login details? Or is the username and password transferred to my server on adding the Connect user and everything is done on my server from then on?
Carlo 4543 Posted January 11, 2019 Posted January 11, 2019 You setup one user account on your own system for each user. You then attach their Emby Connect username to your local name. So for example you could have me setup on your server as "Carlo". Luke could have me set up as "CarloAyars", ebr could have me setup as "cayars", CBers could have me setup as "WackoCarlo" . But each would attach my "cayars" emby connect username to the account they created for me. The beauty of this is that when users create Emby Connect usernames like "DudeThatRocksSnowBoarding" which is meaningless to you as the "connect name" it won't matter once you associate the crazy name to your local name YOU CONTROL on your server. You'll see me as the local name and know who I am.
Carlo 4543 Posted January 11, 2019 Posted January 11, 2019 From the user standpoint they don't need to worry about the account name used on each server, nor do they have to login to each server. The end user only has to remember their Emby Connect username. When they login via Connect they get access to all server that are running. So this has advantages for both the server administrator and for users who have access to multiple servers (one login). Make sense?
notla49285 46 Posted January 11, 2019 Posted January 11, 2019 (edited) Yeah I get the potential to set custom user names, but I didn't add a server user and then assign the Connect account to it, I selected + to add a user and then selected "Invite with Emby Connect", entered their Connect username and sent the invite. I have not set a password for them, neither can I set anything on the Password page (where you'd normally either change a local server user's password or add an easy PIN), it's just blank. So how does my server check their password at login? Surely it would have to contact Emby's servers to check the Connect credentials? My users are not currently logging in via Connect (i.e. app.emby.media), they are using my domain and manually entering Connect credentials (I don't have any users listed to select from so as to force manual login). Edited January 11, 2019 by notla49285
ebr 15574 Posted January 11, 2019 Posted January 11, 2019 Suffice it to say that this is just not an easy add. We understand the request but not only will this be fairly complex to add but it will also add another (highly likely) point of failure possibility to the connection workflow. Connectivity problems are probably our number one issue we spend time helping people with and they are very difficult because they involve individual configuration in each person's personal environment. This just adds to that. Not saying we won't do this. Just saying it has to be done very carefully and it won't be overnight . 3
Carlo 4543 Posted January 13, 2019 Posted January 13, 2019 (edited) Don't know if you guys have seen this or not: CNBC article on why you can't relax using 2FA and how it can be exploited. https://www.cnbc.com/2019/01/04/how-secure-is-your-account-two-factor-authentication-may-be-hackable.html Edited January 13, 2019 by cayars
Salnt23 4 Posted January 14, 2019 Posted January 14, 2019 Don't know if you guys have seen this or not: CNBC article on why you can't relax using 2FA and how it can be exploited. https://www.cnbc.com/2019/01/04/how-secure-is-your-account-two-factor-authentication-may-be-hackable.html Interesting read but nothing new. According to Mitnick, the attack begins when a cybercriminal sends an email that looks real, and asks the receiver to click on a link. Once the user clicks on the link, they are directed to log into the real website, including entering the code sent to their cellphone. Secretly, however, the log in went through the hacker's server and they were able to get the session cookie, the expert explained. "If we can steal the user session cookie, we could become them, and we don't need their username, their password, or their two-factor," Mitnick said. This is the same spiel that always comes from Mitnick. That in any computer system, people are always the weak link. Something to be aware of at the least. 2
Chyron 248 Posted January 14, 2019 Posted January 14, 2019 Social Engineering (hacking a system by manipulating people) will always be a concern. Don't open emails regarding account issues if you didn't already right then expect it. Browse directly to the URL of the site in question and handle it there. Also, 2FA with an authenticator app is more secure than 2FA via text. Indeed, these things are nothing new, and quite frankly should be common sense. 3
fizzyade 128 Posted February 20, 2019 Posted February 20, 2019 I’d love to see 2fa working with Authy, could you use this as the pin? Means that the pin would be unique everytimr you log in and it wouldn’t matter if anybody saw you enter it or if it appeared on screen unobfuscated because it will only work the one time and for the duration that the code is valid.
mata7 44 Posted February 25, 2019 Posted February 25, 2019 (edited) +1 2FA authenticator app is a must have this days Edited February 25, 2019 by mata7
metsuke 27 Posted July 29, 2019 Posted July 29, 2019 Bumping this as all the software that I expose these days supports 2FA except Emby.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now