Jump to content

2-Factor Authentication (2FA)


xorinzor

Recommended Posts

 it's pretty industry standard now.

 

Not really with media apps due to the burden it adds to access.  We understand the desire for this and will probably end up getting there eventually but it needs to be designed very carefully (be very optional).

Link to comment
Share on other sites

  • 1 month later...

Like most of the mainstream streaming services, Emby already has 2FA of sorts  - Login and Device restrictions.  By default, any login can play on any device - but if you turn this off (per user) then the DEVICE itself (which is assigned a unique ID) becomes the 2FA...

 

For Prime (and probably Netlix) you have to Authorise the device it plays on, Emby is no different in concept, but you have to De-Authorise instead if you want 2FA.

 

5d7293f86ea68_Devices.png

 

 

For the Web admin itself - then simply turn off internet access for your admin users  ..

 

5d7294a3c2c6a_admin.png

..and then if you really do want to Administer Emby remotely (ie not on the LAN) then VPN onto your LAN (via 2FA..).

  • Like 1
Link to comment
Share on other sites

Like most of the mainstream streaming services, Emby already has 2FA of sorts  - Login and Device restrictions.  By default, any login can play on any device - but if you turn this off (per user) then the DEVICE itself (which is assigned a unique ID) becomes the 2FA...

 

For Prime (and probably Netlix) you have to Authorise the device it plays on, Emby is no different in concept, but you have to De-Authorise instead if you want 2FA.

 

5d7293f86ea68_Devices.png

 

 

For the Web admin itself - then simply turn off internet access for your admin users  ..

 

5d7294a3c2c6a_admin.png

..and then if you really do want to Administer Emby remotely (ie not on the LAN) then VPN onto your LAN (via 2FA..).

 

That's two levels of authorization, which is not the same as 2FA (2-factor authentication).

Link to comment
Share on other sites

"Emby already has 2FA of sorts"

 

Authentication - Proof that you are who you claim to be.

 

Authentication 1 -  Your emby login - Unique to you, only you know the password.

Authentication 2  ?  -  Your unique key assigned to YOUR personal device in your possession.  ie no different to a SMS TEXT code sent to YOUR phone.  It doesn't confirm it's you - it confirms it was sent to YOUR phone, which may no longer be in your possession.

 

The 'of sorts' bit I mention is because you can of course login to Emby with just 1FA, but the 'Authorisation' may lock you out because of second Authentication method ... bit of a grey area I agree.. but i do know the difference thanks..  ;)

Edited by rbjtech
Link to comment
Share on other sites

  • 8 months later...
  • 2 weeks later...

The world has changed over the past 1- 1.5 years. 2 FA is now required in Emby, and I'd like them to use the authenticator apps such as Microsoft Authenticator rather than SMS.

 

Also, the option to disable the remote login page (web) BUT keep the ability to configure the URL and credentials when in an Emby application and using HTTPS. This stops casual web browsing to a domain and see the emby login web page and then setup a challenge for a script kiddie.

Edited by unisoft
  • Like 3
Link to comment
Share on other sites

  • 2 months later...
  • 3 weeks later...

today my Emby showed a lot of 'continue watching' videos. 

a lot was not complete. i probe further and it sees my login was accessed by someone else.

not sure how they get the password. I suspect it is coming from a Chrome extension. 

i would strongly suggest to have a 2FA. 

there are a lot of sites that support 2FA. it has become the normal. 

so should Emby. 

  • Like 1
Link to comment
Share on other sites

  • 2 months later...

Would like to see 2fa added at some point also. Adding by vote.

Is there a backlog of feature asks the community can vote on to influence priority?

Link to comment
Share on other sites

3 minutes ago, GWTPqZp6b said:

 

Is there a backlog of feature asks the community can vote on to influence priority?

Hi, yes, all of the topics here in the feature requests area.

Link to comment
Share on other sites

I would also like to see this implemented with separate enable disable options for external and internal connections 

 

I would also like this to support yubikey 2fa through nfc on the mobile app and not just the code generator apps

Link to comment
Share on other sites

  • 2 weeks later...
22 hours ago, ozi83 said:

Would SQRL (https://en.m.wikipedia.org/wiki/SQRL) be a possible alternative to traditional 2FA/MFA?

Can you summarize what benefits would that offer? If engineering resources are going to be allocated towards implementing 2FA I would rather a conventional (i.e tried and tested, & users are familiar with) approach was taken, unless theres good reason to deviate.

Edited by GWTPqZp6b
tried to add some logic
Link to comment
Share on other sites

14 hours ago, GWTPqZp6b said:

Can you summarize what benefits would that offer? If engineering resources are going to be allocated towards implementing 2FA I would rather a conventional (i.e tried and tested, & users are familiar with) approach was taken, unless theres good reason to deviate.

Found the below summary:

The user needs to remember only one password to access all websites – the password securing his master key.

User secrets – password, master key, and private key – never leave his device, making them less susceptible to attack.

Websites don’t need to handle or store sensitive user secrets – all they need is the user’s public key to verify his signature.

Credentials are site-specific and based on asymmetric crypto, which means credentials are secured against brute force, password spraying, credential stuffing, and other common attacks on username/password authentication.

 

 

I am all for any improvement's to the security of Emby be that 2FA/MFA or a system like SQRL.

 

Link to comment
Share on other sites

On 07/12/2020 at 19:12, GWTPqZp6b said:

Can you summarize what benefits would that offer? If engineering resources are going to be allocated towards implementing 2FA I would rather a conventional (i.e tried and tested, & users are familiar with) approach was taken, unless theres good reason to deviate.

Microsoft Authenticator app. Job sorted. This AT LEAST has to be there from phase 1 of supporting multiple methods.

Link to comment
Share on other sites

1 hour ago, unisoft said:

Microsoft Authenticator app. Job sorted. This AT LEAST has to be there from phase 1 of supporting multiple methods.

TOTP (Time-based One-Time Password) via app is superior to SMS codes and emailed codes.

So yes. This.

Edited by Chyron
Link to comment
Share on other sites

7 hours ago, Chyron said:

TOTP (Time-based One-Time Password) via app is superior to SMS codes and emailed codes.

So yes. This.

+1. I also assume bring self hosted, few will want to absorb costs of a SMS relay too. 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...