Jump to content

2-Factor Authentication (2FA)

xorinzor

By xorinzor
in Feature Requests

 Share

Recommended Posts

mselley

mselley 6

Posted
Posted

+1 2fa for new devices would really help secure emby content, it's pretty industry standard now.

ebr Emby Team

ebr 15580

Posted
Posted

 it's pretty industry standard now.

 

Not really with media apps due to the burden it adds to access.  We understand the desire for this and will probably end up getting there eventually but it needs to be designed very carefully (be very optional).

  • 1 month later...
rbjtech

rbjtech 4926

Posted
Posted

Like most of the mainstream streaming services, Emby already has 2FA of sorts  - Login and Device restrictions.  By default, any login can play on any device - but if you turn this off (per user) then the DEVICE itself (which is assigned a unique ID) becomes the 2FA...

 

For Prime (and probably Netlix) you have to Authorise the device it plays on, Emby is no different in concept, but you have to De-Authorise instead if you want 2FA.

 

5d7293f86ea68_Devices.png

 

 

For the Web admin itself - then simply turn off internet access for your admin users  ..

 

5d7294a3c2c6a_admin.png

..and then if you really do want to Administer Emby remotely (ie not on the LAN) then VPN onto your LAN (via 2FA..).

  • Like 2
notla49285

notla49285 46

Posted
Posted

Like most of the mainstream streaming services, Emby already has 2FA of sorts  - Login and Device restrictions.  By default, any login can play on any device - but if you turn this off (per user) then the DEVICE itself (which is assigned a unique ID) becomes the 2FA...

 

For Prime (and probably Netlix) you have to Authorise the device it plays on, Emby is no different in concept, but you have to De-Authorise instead if you want 2FA.

 

5d7293f86ea68_Devices.png

 

 

For the Web admin itself - then simply turn off internet access for your admin users  ..

 

5d7294a3c2c6a_admin.png

..and then if you really do want to Administer Emby remotely (ie not on the LAN) then VPN onto your LAN (via 2FA..).

 

That's two levels of authorization, which is not the same as 2FA (2-factor authentication).

rbjtech

rbjtech 4926

Posted
Posted (edited)

"Emby already has 2FA of sorts"

 

Authentication - Proof that you are who you claim to be.

 

Authentication 1 -  Your emby login - Unique to you, only you know the password.

Authentication 2  ?  -  Your unique key assigned to YOUR personal device in your possession.  ie no different to a SMS TEXT code sent to YOUR phone.  It doesn't confirm it's you - it confirms it was sent to YOUR phone, which may no longer be in your possession.

 

The 'of sorts' bit I mention is because you can of course login to Emby with just 1FA, but the 'Authorisation' may lock you out because of second Authentication method ... bit of a grey area I agree.. but i do know the difference thanks..  ;)

Edited by rbjtech
notla49285

notla49285 46

Posted
Posted

i do know the difference thanks..  ;)

 

Yeah, clearly... :huh:

  • 8 months later...
Painkiller8818

Painkiller8818 225

Posted
Posted

+1 on this.

  • 2 weeks later...
unisoft

unisoft 325

Posted
Posted (edited)

The world has changed over the past 1- 1.5 years. 2 FA is now required in Emby, and I'd like them to use the authenticator apps such as Microsoft Authenticator rather than SMS.

 

Also, the option to disable the remote login page (web) BUT keep the ability to configure the URL and credentials when in an Emby application and using HTTPS. This stops casual web browsing to a domain and see the emby login web page and then setup a challenge for a script kiddie.

Edited by unisoft
  • Like 3
ertagon2

ertagon2 44

Posted
Posted

+1
I think this is a great idea. Nothing is better than airtight security <3.

  • Like 1
  • 2 months later...
  • 3 weeks later...
PhantomCircuit

PhantomCircuit 6

Posted
Posted

today my Emby showed a lot of 'continue watching' videos. 

a lot was not complete. i probe further and it sees my login was accessed by someone else.

not sure how they get the password. I suspect it is coming from a Chrome extension. 

i would strongly suggest to have a 2FA. 

there are a lot of sites that support 2FA. it has become the normal. 

so should Emby. 

  • Like 1
  • 2 months later...
GWTPqZp6b

GWTPqZp6b 49

Posted
Posted

Would like to see 2fa added at some point also. Adding by vote.

Is there a backlog of feature asks the community can vote on to influence priority?

Luke Emby Team

Luke 39662

Posted
Posted
3 minutes ago, GWTPqZp6b said:

 

Is there a backlog of feature asks the community can vote on to influence priority?

Hi, yes, all of the topics here in the feature requests area.

cTurtle98

cTurtle98 1

Posted
Posted

I would also like to see this implemented with separate enable disable options for external and internal connections 

 

I would also like this to support yubikey 2fa through nfc on the mobile app and not just the code generator apps

  • Like 1
  • 2 weeks later...
GWTPqZp6b

GWTPqZp6b 49

Posted
Posted (edited)
22 hours ago, ozi83 said:

Would SQRL (https://en.m.wikipedia.org/wiki/SQRL) be a possible alternative to traditional 2FA/MFA?

Can you summarize what benefits would that offer? If engineering resources are going to be allocated towards implementing 2FA I would rather a conventional (i.e tried and tested, & users are familiar with) approach was taken, unless theres good reason to deviate.

Edited by GWTPqZp6b
tried to add some logic
ozi83

ozi83 1

Posted
Posted
14 hours ago, GWTPqZp6b said:

Can you summarize what benefits would that offer? If engineering resources are going to be allocated towards implementing 2FA I would rather a conventional (i.e tried and tested, & users are familiar with) approach was taken, unless theres good reason to deviate.

Found the below summary:

The user needs to remember only one password to access all websites – the password securing his master key.

User secrets – password, master key, and private key – never leave his device, making them less susceptible to attack.

Websites don’t need to handle or store sensitive user secrets – all they need is the user’s public key to verify his signature.

Credentials are site-specific and based on asymmetric crypto, which means credentials are secured against brute force, password spraying, credential stuffing, and other common attacks on username/password authentication.

 

 

I am all for any improvement's to the security of Emby be that 2FA/MFA or a system like SQRL.

 

unisoft

unisoft 325

Posted
Posted
On 07/12/2020 at 19:12, GWTPqZp6b said:

Can you summarize what benefits would that offer? If engineering resources are going to be allocated towards implementing 2FA I would rather a conventional (i.e tried and tested, & users are familiar with) approach was taken, unless theres good reason to deviate.

Microsoft Authenticator app. Job sorted. This AT LEAST has to be there from phase 1 of supporting multiple methods.

Chyron

Chyron 248

Posted
Posted (edited)
1 hour ago, unisoft said:

Microsoft Authenticator app. Job sorted. This AT LEAST has to be there from phase 1 of supporting multiple methods.

TOTP (Time-based One-Time Password) via app is superior to SMS codes and emailed codes.

So yes. This.

Edited by Chyron
GWTPqZp6b

GWTPqZp6b 49

Posted
Posted
7 hours ago, Chyron said:

TOTP (Time-based One-Time Password) via app is superior to SMS codes and emailed codes.

So yes. This.

+1. I also assume bring self hosted, few will want to absorb costs of a SMS relay too. 

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...