2-Factor Authentication (2FA)

[bandit8623 213]

2 hours ago, muzicman0 said:

Yes, but in order to put them on my VPN, I am making it so that some users can't access. As stated above. 

so you are giving admin access to some of your users?  if so then give them 2 accounts 1 for non vpn (https and non admin)  and the other for vpn (http with admin priv)  lock out all https admin users from connecting freom outside your wan.  

no need to put all users on a vpn.  if all your users from outside wan are not admin and connecting https all is good.   just make admin users connect via vpn.

even in domain enterprise environments you have your admin account which is only used for admin stuff...  then the non admin account used for day to day.

Edited June 12, 2025 by bandit8623

[muzicman0 84]

No, none of my users have admin access. That's not the point. And honestly, this has gotten away from the point of this thread. 

[bandit8623 213]

6 minutes ago, muzicman0 said:

No, none of my users have admin access. That's not the point. And honestly, this has gotten away from the point of this thread. 

if none of your users have admin access then 2fa really is not a priority.  i agree though it would be nice to have...

Edited June 12, 2025 by bandit8623

[adrianwi 279]

It was a nice to have in 2018 

[porkbone 47]

+1 for 2FA for the admin account

[SirSolox 9]

+1 please get this added ASAP. It's crazy it's been 7 years since this was initially requested.

[muzicman0 84]

2 hours ago, SirSolox said:

+1 please get this added ASAP. It's crazy it's been 7 years since this was initially requested.

Yep.  A basic TOTP authentication would be fine.  Plenty of open source libraries if they don't want to develop from scratch.

[athinaok 25]

+1 for 2FA for the admin account

 

[bandit8623 213]

On 7/15/2025 at 2:29 PM, muzicman0 said:

Yep.  A basic TOTP authentication would be fine.  Plenty of open source libraries if they don't want to develop from scratch.

TOTP addon in emby would be ideal.  just like my Router opnsense has.  sync with fav 2fa app with qr generator and good to go

[muzicman0 84]

Just finished reading a thread where someone forgot to add a password to someone's account that was an admin and it looks like their server was compromised.  One more reason to add 2fa.  Also, is there an option to not allow passwordless accounts?

[ebr 16169]

16 hours ago, muzicman0 said:

One more reason to add 2fa

I'm afraid in that instance, this feature wouldn't make any difference.  If they didn't have a password, they also wouldn't have enabled 2FA (we will not blanket require it - it will have to be opted in by the server owner).

[WBoweIII 7]

I am just about finished flipping from Plex to Emby and 2FA is really the only big hole in the product. 

I know you are not going to force it but I would love to see a server side setting that we control individually that had the following

2FA: Optional, Required for Admins, Required for all users

 

[angellmark 1]

hahaha when op not in emby all problem and request not in proses ,hello please emby all Emby Premiere buy key with money

[trashken 7]

Server was just compromised today ... 2FA is a must in 2025!

[bandit8623 213]

2 hours ago, trashken said:

Server was just compromised today ... 2FA is a must in 2025!

Can you share more details?  was emby admin hacked?  or another non admin user?  while i agree 2fa would be nice...  what happened in your situation? there are many ways of getting hacked... and its not always embys fault.

Edited November 14, 2025 by bandit8623

[porkslapchop 2]

This should be a high priority item imo. Another Alternative would be OIDC support so we can force 2fa on our identity provider (Authentik,Authelia,Keycloak). Immich can do this even on the android app.On TV login could work via QR-Code similiar to youtube. Just throwing out ideas here. 

[WBoweIII 7]

It would also be a big step forward to force you to set a password. If you really want a blank one you should have to tick a "Blank Password" box. Its super easy to leave a user without one set. 

[ALLSTAR1986 15]

Hello @Luke

What happened to 2FA? I would also like to have security for my admin account. I have also secured my Asustor NAS admin account with 2FA. Now all that's missing is emby. I think 2FA is very important. We live in a time when systems are attacked every day and hackers try to gain access!

I am in favor of 2FA for the emby account!

[athinaok 25]

Let’s hope the 2026 devs finally provide this fundamental feature.

[sydlexius 297]

It bears repeating that one of the critical requirements is an HTTPS connection, otherwise other auth improvements are just "security theater." As Let's Encrypt is supposed to be releasing IP-based certs by EOY 2025 (its available in their staging environment), this seems like a good foundation to build on for this and other auth improvements. There are quite a few low-restrictions OSS .NET implementations of the ACME v2 protocol clients that could be integrated into Emby server that would improve security and anonymity should the devs consider it. 

Edited December 25, 2025 by sydlexius

[raudraido 48]

AT THIS POINT, Emby developers should ask themselves, why customers pay for Emby, why customers still keep buying this software over other similar priced services OR FREE alternatives.

 

[adrianwi 279]

The emby team should be ashamed by this thread. Almost 8 years since this was started

[porkslapchop 2]

On 7/4/2024 at 1:14 PM, Painkiller88 said:

I still wonder why i see all kinds of "but and excuses" statements instead of giving users the ABILITY to have MFA.
All i see is "but it does not make your server more secure, etc." 

 

Just give users and Admins the OPTION to use MFA, as long as Emby is not a managed service and is doing all the maintenance for the linux or windows servers etc. people are using, this is nothing you have to bother about.

When someone has a microsoft Entra Tenant, microsoft is not responsible for any misconfigurations if you have the wrong sharing options or not using conditional access etc.

Why are you trying to make people feel like you do a full managed service and you need to ensure they have secure environment?


You give people a program to host their own media server, nothing more, you are not managing my security or something else.

If people forget their password or just use 12345 as a password, this is nothing you have to bother.

Just give us the option out of the box, to enable MFA for those who wants it. No needs to discuss the whole 7 OSI Layers and security.

Thanks

Quoting this again in 2026. We bought a product which we like. MFA is now a must for most services. There is no more discussion to be had if this feature is needed. It is needed. The only discussion that should be had is how to implement it. There are several options here:

1. OIDC/SAML Plugin so we can do it ourselves. Many would be happy with this. We already have LDAP
2. Internal MFA which we have to enable
3. Passkeys
 

[bandit8623 213]

a built in vpn seems like a better option.  the vpn thats built in could use 2 auth.   if you dont want to use the built in vpn fuction no 2auth 

[muzicman0 84]

43 minutes ago, bandit8623 said:

a built in vpn seems like a better option.  the vpn thats built in could use 2 auth.   if you dont want to use the built in vpn fuction no 2auth 

Not really.  I would hate to have to explain to my mom from 1700 miles away how to set up a VPN.  I use Tailscale, which is super easy, but, no way would she be able to do it.

Plus, is Roku still a thing?  I doubt there is a VPN for it.  not sure about AppleTV devices.