Jump to content

2-Factor Authentication (2FA)


xorinzor

Recommended Posts

On 07/09/2019 at 02:23, rbjtech said:

Like most of the mainstream streaming services, Emby already has 2FA of sorts  - Login and Device restrictions.  By default, any login can play on any device - but if you turn this off (per user) then the DEVICE itself (which is assigned a unique ID) becomes the 2FA...

 

For Prime (and probably Netlix) you have to Authorise the device it plays on, Emby is no different in concept, but you have to De-Authorise instead if you want 2FA.

 

5d7293f86ea68_Devices.png

 

 

For the Web admin itself - then simply turn off internet access for your admin users  ..

 

5d7294a3c2c6a_admin.png

..and then if you really do want to Administer Emby remotely (ie not on the LAN) then VPN onto your LAN (via 2FA..).

Thanks. This is a great way to lock down my users and make sure that no one unauthorized can access my server. It works really well.

Link to comment
Share on other sites

  • 1 month later...

+1 from me.

I have emby server facing the internet with its own subdomain. Also I have a lot other services, but emby is the only one without 2FA.

It only worries me a little because Emby has premissions to actually delete files from disk. So, an extra security layer would be nice. 

Link to comment
Share on other sites

  • 1 month later...
  • 2 weeks later...

IMHO user votes for this shouldn't even matter due to its inherent importance, especially since I'm guessing that most users don't generally follow all the technological security related news and understand that there are real threats to defend from. Even if you don't believe that 2FA is important or see the continual trend of companies and individuals being hacked and exploited, you can see that other organizations have added 2FA to their offerings, even Plex.

 

@Jdiesel When you get the chance (no rush), can you bump this into the 40-100 Likes category, thank you!

  • Like 1
Link to comment
Share on other sites

My personal view is this will not go anywhere soon.  Out the box, emby does not even provide an automated SSL setup - so asking for 2FA on a plain text login is totally pointless.

The priority should be getting SSL 'out the box' - THEN move onto 2FA or maybe do it as part of the same functionality.

 

Link to comment
Share on other sites

22 minutes ago, rbjtech said:

The priority should be getting SSL 'out the box' - THEN move onto 2FA or maybe do it as part of the same functionality.

 

If this would mean being forced to always go through their servers like Plex does, this is an absolute no-go for me.

Everyone has to make sure their server is secure when exposed to WWW and there are plenty of tutorials on how to get SSL working with Emby.

Just my 2cents though...

  • Like 3
Link to comment
Share on other sites

1 minute ago, neik said:

If this would mean being forced to always go through their servers like Plex does, this is an absolute no-go for me.

Everyone has to make sure their server is secure when exposed to WWW and there are plenty of tutorials on how to get SSL working with Emby.

Just my 2cents though...

agreed, emby plus nginx, SSL and even cloudflare is incredibly easy and can be free to set up. The tutorials out there should just be adapted into the KB

  • Like 2
Link to comment
Share on other sites

1 minute ago, neik said:

If this would mean being forced to always go through their servers like Plex does, this is an absolute no-go for me.

Everyone has to make sure their server is secure when exposed to WWW and there are plenty of tutorials on how to get SSL working with Emby.

Just my 2cents though...

No not at all.

In collaboration with the likes of 'LetsEncrypt' - all emby need to do is provide a domain with DDNS updates (likely via emby connect), and provide a cert to install LOCALLY which is renewed on their behalf. 

Link to comment
Share on other sites

3 minutes ago, Spaceboy said:

agreed, emby plus nginx, SSL and even cloudflare is incredibly easy and can be free to set up. The tutorials out there should just be adapted into the KB

I think you missed the part about being 'out the box' .. ;)

Joe average is not even going to know what SSL stands for, yet alone have the insight into the following multiple tutorials to set something up for which they have no understanding.

If you opt for a secure install - then there needs to be a tick box in emby setup - where you get a domain assigned (myserver.emby.media), associated cert created, installed and updated.  Yes that cert is owned and maintained by emby (it has to be, they own the domain) - but if you want SSL access, that is the trade off.     

The only time you need the emby servers is when your WAN IP changes (so DDNS updates) and when you need to renew the cert (3 months etc).   Normal media playback will use the local install, this is no different to a 3rd party SSL cert installed today.

 

  • Like 1
Link to comment
Share on other sites

31 minutes ago, rbjtech said:

I think you missed the part about being 'out the box' .. ;)

Joe average is not even going to know what SSL stands for, yet alone have the insight into the following multiple tutorials to set something up for which they have no understanding.

If you opt for a secure install - then there needs to be a tick box in emby setup - where you get a domain assigned (myserver.emby.media), associated cert created, installed and updated.  Yes that cert is owned and maintained by emby (it has to be, they own the domain) - but if you want SSL access, that is the trade off.     

The only time you need the emby servers is when your WAN IP changes (so DDNS updates) and when you need to renew the cert (3 months etc).   Normal media playback will use the local install, this is no different to a 3rd party SSL cert installed today.

 

no i didnt. thats just never going to happen

Link to comment
Share on other sites

5 minutes ago, Spaceboy said:

no i didnt. thats just never going to happen

I tend to agree - which goes back to my original point about 2FA being a pointless request if the security basics are not there to begin with.

Link to comment
Share on other sites

4 hours ago, rbjtech said:

when you need to renew the cert (3 months etc)

If using Let's Encrypt then Certbot can do this automatically for you.  Indeed, how about negotiating to put the front end of Caddy into the package - everything (apart from DDNS) already there, automated and working.

Paul

Edited by pwhodges
Link to comment
Share on other sites

Indeed Paul yes, I was just attempting to answer the point about being reliant on Emby services as opposed to stand alone as it is today. 

If certbot (or whoever) needs to contact emby to confirm ownership for the renewal, than I personally don't see that as an issue, the same dependency exists for your cert provider today whoever that may be.

Link to comment
Share on other sites

 

4 hours ago, Spaceboy said:

agreed, emby plus nginx, SSL and even cloudflare is incredibly easy and can be free to set up. The tutorials out there should just be adapted into the KB

This is not "incredibly easy." As @rbjtech says, it should be available out of the box. Security features should be made available by default. Leaving the incorporation of any and all security features on the shoulders of the end-user is not the proper approach for commercial software. This software is not targeted at IT professionals and system administrators. This software is targeted at consumers who want to store their digital media locally, and serve it so that they can potentially access it from any device. It should not require reverse proxies and intimate knowledge of command line to be a secure product.

Speaking for myself, I enable 2FA TOTPs on all of my accounts wherever possible. So I would definitely appreciate this feature to be implemented. But as has been said, implementing HTTPS is probably a first step.

  • Agree 1
Link to comment
Share on other sites

Unless I'm mistaken, and I'm happy to be corrected, 2FA does not require making calls to Emby internet services. It is also useful for everyone, not just professionals, not just every-day consumers.

If you want other features like auto-SSL, that's a separate type of request since for those who do understand nginx and certbot, it would bring in extra cruft to compile and maybe unwanted software on our networks.

  • Agree 1
Link to comment
Share on other sites

3 hours ago, metsuke said:

Unless I'm mistaken, and I'm happy to be corrected, 2FA does not require making calls to Emby internet services. It is also useful for everyone, not just professionals, not just every-day consumers.

If you want other features like auto-SSL, that's a separate type of request since for those who do understand nginx and certbot, it would bring in extra cruft to compile and maybe unwanted software on our networks.

Unless you are using SSL/TLS to encrypt your first layer of Authentication - then anybody can simply snoop your passwords, or inject an 'authenticated' token into the stream - making any 2FA totally pointless and redundant.

For those with SSL/TLS already (by 3rd party methods) then yes, 2FA will add a layer of protection - but imho, the Dev's should spent the time securing the base system first for those that are still using http only - maybe without the knowledge that it is insecure and open to abuse.

Link to comment
Share on other sites

34 minutes ago, rbjtech said:

Unless you are using SSL/TLS to encrypt your first layer of Authentication - then anybody can simply snoop your passwords, or inject an 'authenticated' token into the stream - making any 2FA totally pointless and redundant.

For those with SSL/TLS already (by 3rd party methods) then yes, 2FA will add a layer of protection - but imho, the Dev's should spent the time securing the base system first for those that are still using http only - maybe without the knowledge that it is insecure and open to abuse.

Right but  as the title of this thread reads this is for the feature request to add 2FA. If you support the devs adding a "plug and play" feature for SSL, you comments would be better directed toward a feature request for that specific feature. As it stands now SSL is supported by Emby but it is not providing DDNS or certificate issuing to users. 

Link to comment
Share on other sites

14 hours ago, Chyron said:

Speaking for myself, I enable 2FA TOTPs on all of my accounts wherever possible.

As someone has already written here, Emby has/had (depending if you are on stable or beta server) some sort of 2FA as you are/were able to additionally restrict access by device.
So, even if someone has the credentials he cannot login if the user is restricted to his devices only -> If someone tries to login from a unknown device he will not get in.

But: With the next stable this is also gone, as the devs thought they needed to "improve" (in this case make it worse would suit better):
https://emby.media/community/index.php?/topic/94474-46020-revamped-device-access-control/

  • Like 2
  • Agree 3
Link to comment
Share on other sites

I don't think 2FA needs to be a one stop solution to securing emby. An incremental step forward to support 2FA for those users who have already secured their servers through SSL certs etc would be a step in the right direction. 

I'd vote against any plex style domain / certificate process personally. 

  • Agree 4
Link to comment
Share on other sites

  • 3 months later...
  • 3 months later...
  • 2 months later...

I have not tried, but emby premium supports LDAP. It might be possible to use duo and an ldap server to handle 2fa logins

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...