2-Factor Authentication (2FA)

June 30, 2024

Delete..I squished it by mistake..Sorry

Edited June 30, 2024 by Houfino

June 30, 2024

16 minutes ago, Geekies said:

Hi first thanks for Emby,

I move from Plex here but im in trouble about the lake of 2FA security.

When do you think @Luke this request of 2FA will be completed ? We realy need it please...

Have a nice day

Luke doesn't want to deal... He doesn't care that hackers hacked and destroyed Emby server

July 1, 2024

18 hours ago, Houfino said:

Luke doesn't want to deal... He doesn't care that hackers hacked and destroyed Emby server

Good morning,

No, please don't talk nonsense either.
He never said he didn't want to put it in place.

The problem is that they are in no hurry to strengthen security in this area and favor other means (reverse proxy for example)

However, the other means are not necessarily easy to implement for everyone and above all prevent the application from being used everywhere.

Clearly, it is true that they would really have to move their butts royally for this type of subject, but to say that it is nothing we can do, no, we must not overdo it.

July 1, 2024

I work in an adjacent software development field and deal with feature prioritization calls and diverse customers regularly and was curious about this thread and 2FA in Emby.

Obviously a full 2FA implementation with a secure backend and associated user flows is a pretty significant undertaking and I think some of the foundational backend engineering might have been done following the exploit last year but wondered if any folks would want to have the user facing 2FA entry page available sooner than all the back end hardening? It would potentially give a false sense of security, but it may also be a deterrent to anyone trying to exploit the system?

My preference would be to leave 2FA off until it can be implemented properly with a robust backend and leverage other security mechanism like firewalls, strong user passwords and reverse proxy configurations in the meanwhile.

July 2, 2024

14 hours ago, GWTPqZp6b said:

I work in an adjacent software development field and deal with feature prioritization calls and diverse customers regularly and was curious about this thread and 2FA in Emby.

Obviously a full 2FA implementation with a secure backend and associated user flows is a pretty significant undertaking and I think some of the foundational backend engineering might have been done following the exploit last year but wondered if any folks would want to have the user facing 2FA entry page available sooner than all the back end hardening? It would potentially give a false sense of security, but it may also be a deterrent to anyone trying to exploit the system?

My preference would be to leave 2FA off until it can be implemented properly with a robust backend and leverage other security mechanism like firewalls, strong user passwords and reverse proxy configurations in the meanwhile.

Agreed - I have mentioned this several times throughout this thread - until you have covered off the basics to ensure they are robust, MFA will just provide a false sense of security and any serious threat will simply side step it. Anybody that needs to rely on MFA, is simply not managing their security properly and it should never be used to fill the gaps on a poorly engineered security system. Exposing any form of hosted Admin account to the internet is simply a no no in this day and age. MFA on user accounts is, imho, simply not needed on a personal media platform.

I for one, would much prefer if emby used the time/effort to implement https out the box and removed the ability to host remotely over http - that would be much more welcome and appreciated from the community, rather than use the time on MFA - which of course could only be used by those using https anyway and probably an even smaller subset for those that want to turn on remote Admin..

Edited July 2, 2024 by rbjtech

July 2, 2024

I understand your concerns, but I respectfully disagree. While it's true that MFA should not replace a robust foundational security setup, it is still an essential layer of security. Here are a few points to consider:

Layered Security: Security is most effective when implemented in layers. Even if the basics are covered, MFA provides an additional hurdle for attackers, making it significantly harder for them to gain unauthorized access.
Mitigating Risks: No system is completely foolproof. MFA adds an extra step in the authentication process, which can help mitigate risks if other security measures fail or are bypassed.
Widespread Adoption: Many industry standards and best practices recommend or even require MFA for securing sensitive information and accounts. Its adoption is a testament to its effectiveness in enhancing security.
Remote Access: In a world where remote access is becoming more common, MFA helps protect against compromised credentials, which are a leading cause of data breaches.
HTTPS and MFA Together: Implementing HTTPS out of the box is indeed crucial, but it's not mutually exclusive with MFA. Both can and should be part of a comprehensive security strategy.

While I agree that basic security measures should be robust and not neglected, MFA should be viewed as a critical component of a well-rounded security approach.

July 2, 2024

1 hour ago, athinaok said:

I understand your concerns, but I respectfully disagree.

To my reading, I don't think you're actually disagreeing. I think theres nuance thats getting lost in language here.

1 hour ago, athinaok said:

While it's true that MFA should not replace a robust foundational security setup, it is still an essential layer of security.

It's true that MFA should not replace a robust security setup. It's also true that MFA requires a robust security foundation to be valuable. Only once the basics are in place can a worthwhile MFA system be implemented.

July 2, 2024

3 hours ago, athinaok said:

I understand your concerns, but I respectfully disagree. While it's true that MFA should not replace a robust foundational security setup, it is still an essential layer of security. Here are a few points to consider:

While I agree that basic security measures should be robust and not neglected, MFA should be viewed as a critical component of a well-rounded security approach.

..and that's fine - but I just see you are opening the security guidelines 101 and listing how MFA helps. Let me reply to these one at a time -

3 hours ago, athinaok said:

Layered Security: Security is most effective when implemented in layers. Even if the basics are covered, MFA provides an additional hurdle for attackers, making it significantly harder for them to gain unauthorized access.

Yep - so if layered security is required (no disgareements here) why would you want MFA incorporated into the same product ? Bypass security via means of a vulnerability within emby means just that - you bypass the lot, including MFA. Having MFA would not have helped in the recent emby vulnerability for example. Use MFA as part of another 'layer' to lets say secure the network layer - THEN this argument is valid. This is why you have multiple firewalls, multiple vendors, multiple DMZ's etc - everyone in security knows this - will emby require this to 'host' - of course not.

3 hours ago, athinaok said:

Mitigating Risks: No system is completely foolproof. MFA adds an extra step in the authentication process, which can help mitigate risks if other security measures fail or are bypassed.

As above - MFA is useful IF the standard credentials have been breeched. If people are not using unique password generated passwords and are re-using short, likely breeched passwords, then Risk mitigation should begin by educating them to not do that. A unique long password is simply not breakable in the first place, so having MFA to 'protect' it is not technically required.

3 hours ago, athinaok said:

Widespread Adoption: Many industry standards and best practices recommend or even require MFA for securing sensitive information and accounts. Its adoption is a testament to its effectiveness in enhancing security.

Don't disagree - but it is used as 'convienence' because many people do not follow best practice and use weak passwords, using MFA as their fallback. A weak breeched password + mfa is weaker than a strong unique password on it's own. A strong unique password + mfa is of course the strongest of all of them.

3 hours ago, athinaok said:

Remote Access: In a world where remote access is becoming more common, MFA helps protect against compromised credentials, which are a leading cause of data breaches.

As above - MFA should not be used as an excuse for weak re-used passwords. Bypassing MFA for a determined attacker is an option if they have already got through the first auth via a weak username and password or other vulnerability. Cryptographically, they will not be able to 'crack it' but they may be able to simply bypass the Auth. Anybody who exposes an 'Admin' account over the internet, MFA or not, is misguided if they think MFA will protect them.

3 hours ago, athinaok said:

HTTPS and MFA Together: Implementing HTTPS out of the box is indeed crucial, but it's not mutually exclusive with MFA. Both can and should be part of a comprehensive security strategy.

I never said it was. I said that emby focussing resources on getting https out the box would be preferable to them impleming MFA for those that already use https. As part of this https 'solution' they should incorporate MFA by design.

--

I'm not disagreeing AT ALL that MFA should not be part of a security setup - it should, but there are MANY more 'layers' that are pre-requisites to https yet alone MFA. There are also many layers in parallel with MFA that are needed to protect the transports - Auth is pointless if you can just bypass it.

Emby will get to MFA - but I suspect it will be part of a more generic https drive in combination with client updates using OTP's or QR codes etc that benefit everybody.

We are all on the same side here ..

Edited July 2, 2024 by rbjtech

July 2, 2024

Thank you for your detailed response. I appreciate your insights and the thorough breakdown of the points I raised. You’ve highlighted some important aspects of security that are crucial to consider. I agree that:

Layered Security: Using multiple layers, including network-level security and diverse vendors, is essential.
Mitigating Risks: Educating users on strong, unique passwords is fundamental, and MFA shouldn’t be a crutch for poor password practices.
Widespread Adoption: The convenience of MFA often compensates for common bad habits, but it works best in conjunction with strong passwords.
Remote Access: MFA is not a cure-all, especially if fundamental security practices are ignored.
HTTPS and MFA: Focusing on HTTPS implementation first is a priority, with MFA as part of that comprehensive strategy.

I also agree that exposing admin accounts to the internet is risky, and MFA alone won't mitigate that risk.

To sum up, while MFA is a valuable part of security, it's not a substitute for fundamental security measures. It should be part of a holistic approach that includes robust password practices, HTTPS, and other layers of security. I’m glad we’re on the same side in aiming for better security overall.

Thanks again for the discussion!

July 2, 2024

Good to see the 2024 update to this 2,372-day-old thread. I wonder if we'll still be debating whether or not something that has been pretty much standard on any internet-facing service for the past 2-3 years will have been added to emby before the 2025 update?

The lack of MFA after all this time is indefensible.

July 3, 2024

11 hours ago, adrianwi said:

Good to see the 2024 update to this 2,372-day-old thread. I wonder if we'll still be debating whether or not something that has been pretty much standard on any internet-facing service for the past 2-3 years will have been added to emby before the 2025 update?

The lack of MFA after all this time is indefensible.

If we want to go back to real security basics - you are still allowed a single character password for remote access - yes really... My view is Emby need to fix that asap .. frankly I'm embarassed for them in this area .. For remote access, force a minimal entropy, ideally with a breech pre-lookup - how hard can that be ?.. Next is https out the box, then MFA ..

Agree that the lack of password entropy and still using http in 2024 is indefensible - MFA should be optional and would likely be designed into any https solution anyway, so leaving it out would be a very odd decision.

I've asked a few times now about a dedicated 'Security' forum in Emby, but it gets rejected - so maybe a few more threads on all the other 'weak' offerings may be the way to go to not only remind Emby, but also educate others that out the box, Emby is simply insecure...

Edited July 3, 2024 by rbjtech

July 3, 2024

Actually i don't see emby giving options for password complexity or lockout threshold or something so maybe this is why users are asking for MFA, because emby does not provide other security features out of the box.

For us who are deeper in tech stuff, yes we can implement things like fail2ban etc. but out of the box i haven't seen an option to force users to use strong passwords or something else.

So i can understand both sides and there should be more focus on security instead of fixing subtitles or things like this.

July 3, 2024

Here is dev's answer to force password restriction's on admin and users.

July 3, 2024

34 minutes ago, Painkiller8818 said:

Actually i don't see emby giving options for password complexity or lockout threshold or something so maybe this is why users are asking for MFA, because emby does not provide other security features out of the box.

For us who are deeper in tech stuff, yes we can implement things like fail2ban etc. but out of the box i haven't seen an option to force users to use strong passwords or something else.

So i can understand both sides and there should be more focus on security instead of fixing subtitles or things like this.

Password lockout, funnily enough, has been implemented - but it won't take much to brute force a single character password lol

Agree on the focus - fix the important things first !

July 3, 2024

27 minutes ago, jaycedk said:

Here is dev's answer to force password restriction's on admin and users.

Which is sad - Emby have a responsbility to protect not only their product and your media collection, but also the home network on which it is hosted. Lets say there is a vulnerability on an Authenticated account - allowing shell access. Now the lack of 'emby' security means your local network is visable and further attacks can now be made, snooping on your bank login credentials etc. All because embys view is they don't want to discourage the non-tech savvy from using emby remotely. As soon as you hit that 'remote access' button - you should be forced to create a decent password on all the admin accounts, and personally on all user accounts as well but until there is a decent way to enter this password or a OTP mechanism into the Apps - then I can see why they don't want to do this. They need to prioritise this imo but until they get hit again with a widespread vulnerability, I don't see things changing ...

Edited July 3, 2024 by rbjtech

July 3, 2024

Anyone that allows there admin accounts to be logged in remotely without 2fa should not do so.

Personally I use a VPN if I want to login to my local http admin.

Until 2fa is added I recommend all to do it this way .

July 3, 2024

7 hours ago, bandit8623 said:

Anyone that allows there admin accounts to be logged in remotely without 2fa should not do so.

Personally I use a VPN if I want to login to my local http admin.

Until 2fa is added I recommend all to do it this way .

Hi, I never think about that. Thanks for tip. So should I create new admin user and disable remote access. Then disable admin options for my regular user?

July 3, 2024

32 minutes ago, Przemek said:

Hi, I never think about that. Thanks for tip. So should I create new admin user and disable remote access. Then disable admin options for my regular user?

i personally created a new user with no admin rights i use this to watch shows when im away. and just disable https access on your admin account you have currently.

if you want to keep your watched list the same you could do what you suggested and make a new admin account disable https access. then change rights on your old admin to a regular user.

Edited July 3, 2024 by bandit8623

July 3, 2024

1 hour ago, bandit8623 said:

i personally created a new user with no admin rights i use this to watch shows when im away. and just disable https access on your admin account you have currently.

if you want to keep your watched list the same you could do what you suggested and make a new admin account disable https access. then change rights on your old admin to a regular user.

Same here, i created a normal user for myself without admin permissions and without permissions to delete things on the file system.

July 3, 2024

I took an added step for my Emby docker container of only allowing read-only access to all of the media mount points, so unless a threat actor finds a way to escape the "sand box", they still can't modify/delete my media (or the adjacent metadata files). The only downside to this approach is that I need to rely on tools like TinyMediaManager to fetch my metadata, whose automation capabilities leave a lot to be desired.

July 4, 2024

+1 for optional required 2FA... BUT admins should be able to configure this as optional and/or required for each user.

I have users constantly forgetting their passwords requiring me (Admin) to reset or create a new password. 2FA would eliminate that issue for me. I dont use connect so there is no way for users to reset their password.

It would also reduce the amount of password sharing by placing a greater burden on the account holder to have to send a temporary code within the timer limit. I bet they would find it a great hassle and decide its not worth sharing their account. I only share my Emby server with close friends and Family and know who is accessing my server by their IP address or Device name. I'm not opposed if my brother shares his Emby account with his father in law but I'm not going to provide tech support for anyone other than the person I gave the account to.

What I dont know if there is some fee Emby would be paying for this service and maybe its not practical to deploy without charging

Edited July 4, 2024 by Chillout

July 4, 2024

On 2/3/2024 at 12:48 PM, ebr said:

Well, it does a bit in that, in order to implement 2FA there needs to be some sort of authentication point and, having one central one for everyone makes this MUCH easier.

The complication with us is that the authentication lies entirely within your own server on your network. Just look at the number of people who struggle setting up external access to their machines and extrapolate that out to trying to properly setup their network so that 2FA communications can properly work.

Not impossible but certainly more complex and much, much harder to support.

needs to have each users server host the totp server.

so couldnt emby have that baked isnto the isstallation? qr code then setup using microsoft or google authenticator.

Edited July 4, 2024 by bandit8623

July 4, 2024

1 hour ago, Chillout said:

I have users constantly forgetting their passwords requiring me (Admin) to reset or create a new password. 2FA would eliminate that issue for me.

Hi. How would 2FA solve the problem of users forgetting their password?

July 4, 2024

2 minutes ago, ebr said:

1 hour ago, Chillout said:

I have users constantly forgetting their passwords requiring me (Admin) to reset or create a new password. 2FA would eliminate that issue for me.

Hi. How would 2FA solve the problem of users forgetting their password?

That is what I was wondering as you still have to enter username/password to get second authentication. To a point would get old really quick. Yes it adds security but can't stand the sites I am forced to log into that have it and avoid as much as possible.

July 4, 2024

1 hour ago, Happy2Play said:

That is what I was wondering as you still have to enter username/password to get second authentication. To a point would get old really quick. Yes it adds security but can't stand the sites I am forced to log into that have it and avoid as much as possible.

im actually the opposite. if a site i like doesnt have 2fa i avoid it. depending on how much personal info is on there.

where 2fa does help is if a general password doed get breached... the person with the breached pass or the means to brute force cant get in with 2fa.

example why openvpn uses it for truly good security.

Edited July 4, 2024 by bandit8623

Sign In

2-Factor Authentication (2FA)

Recommended Posts

Houfino 41

Houfino 41

odeuxcool 8

GWTPqZp6b 50

rbjtech 5283

athinaok 25

GWTPqZp6b 50

rbjtech 5283

athinaok 25

adrianwi 279

rbjtech 5283

Painkiller88 248

Neminem 1516

rbjtech 5283

rbjtech 5283

bandit8623 213

Przemek 70

bandit8623 213

Painkiller88 248

sydlexius 297

Chillout 110

bandit8623 213

ebr 16169

Happy2Play 9780

bandit8623 213

Create an account or sign in to comment

Create an account

Sign in

Activity