bandit8623 213 Posted January 5 Posted January 5 5 minutes ago, muzicman0 said: Not really. I would hate to have to explain to my mom from 1700 miles away how to set up a VPN. I use Tailscale, which is super easy, but, no way would she be able to do it. Plus, is Roku still a thing? I doubt there is a VPN for it. not sure about AppleTV devices. what i mean is what if its built into the emby app? you want 2auth. how are you going to explain 2 auth to her?
muzicman0 84 Posted January 5 Posted January 5 She has other 2fa devices, so that isn't a problem. But her concept of a VPN is AVG Security software, and she managed to break her home network with that. Even if it was built into the emby server, the client would still need it, unless you mean building it into the client, which may or may not be possible.
bandit8623 213 Posted January 5 Posted January 5 (edited) 6 minutes ago, muzicman0 said: She has other 2fa devices, so that isn't a problem. But her concept of a VPN is AVG Security software, and she managed to break her home network with that. Even if it was built into the emby server, the client would still need it, unless you mean building it into the client, which may or may not be possible. i mean building it in. but we dont know if emby is working on this or not. end of day though i would never enable 2fa for my regular users (more pain in the butt for them). not really needed (cant remove or add media or make changes). i would use for an admin account. but for me being admin i can currently just vpn to my server and manage locally. Edited January 5 by bandit8623 1
muzicman0 84 Posted January 5 Posted January 5 honestly, I think the easiest way of doing this is to just email the user a code to their configured email address, and have a check box that allows the server to 'remember this device'. Not too invasive, and easy to implement.
bandit8623 213 Posted January 5 Posted January 5 4 minutes ago, muzicman0 said: honestly, I think the easiest way of doing this is to just email the user a code to their configured email address, and have a check box that allows the server to 'remember this device'. Not too invasive, and easy to implement. well you need a service host the email needs to originate from. so unless every emby server provides this? totp is a much easier way. the server hosts the totp. the users get a qr code and can use any auth app likle microsoft/google/authy. takes out using emails.
hapylestat 10 Posted January 7 Posted January 7 On 12/25/2025 at 10:49 PM, sydlexius said: It bears repeating that one of the critical requirements is an HTTPS connection, otherwise other auth improvements are just "security theater." As Let's Encrypt is supposed to be releasing IP-based certs by EOY 2025 (its available in their staging environment), this seems like a good foundation to build on for this and other auth improvements. There are quite a few low-restrictions OSS .NET implementations of the ACME v2 protocol clients that could be integrated into Emby server that would improve security and anonymity should the devs consider it. while in most cases 2-fa should be handled by application itself, as https with provided certs should be possible to enable. SSL settings available in emby and most likely accessible through API for automation. An advanced scenarios like certs via ACME servers should be implemented via Traefik or Certbot or acme.sh + cron. Why to implement bicycle? It's another big job to support any changes which come to ACME proto and how properly to integrate to Provider of your liking.
hapylestat 10 Posted January 7 Posted January 7 On 1/5/2026 at 9:25 PM, bandit8623 said: a built in vpn seems like a better option. the vpn thats built in could use 2 auth. if you dont want to use the built in vpn fuction no 2auth Build in vpn what, server? Or client? In 99% cases just use docker compose Emby with Tailscale as sidecar container. After that, you could access it from any device with tailscale client and as bonus - tailscale provides dns record, http -> https termination and ACL control on who from your tailnet able to access Emby.
bandit8623 213 Posted January 7 Posted January 7 (edited) 18 minutes ago, hapylestat said: Build in vpn what, server? Or client? In 99% cases just use docker compose Emby with Tailscale as sidecar container. After that, you could access it from any device with tailscale client and as bonus - tailscale provides dns record, http -> https termination and ACL control on who from your tailnet able to access Emby. it would need to be both.. connecting to the emby server from the emby client using a internal vpn built into emby. Edited January 7 by bandit8623
muzicman0 84 Posted January 7 Posted January 7 2fa and VPN are not the same things. They can mitigate some of the same problems of course, but ultimately we need 2fa. There are multiple ways to implement TOTP Email Heck, build it into the IOS and Android app and click on a notification The problem with a VPN is it is not possible to install most (if not all) VPNs on Roku devices. At least one of my users (sister-in-law) is currently using Roku.
bandit8623 213 Posted January 7 Posted January 7 (edited) 6 minutes ago, muzicman0 said: 2fa and VPN are not the same things. They can mitigate some of the same problems of course, but ultimately we need 2fa. There are multiple ways to implement TOTP Email Heck, build it into the IOS and Android app and click on a notification The problem with a VPN is it is not possible to install most (if not all) VPNs on Roku devices. At least one of my users (sister-in-law) is currently using Roku. I realize that. but there are app based vpns. doesnt effect all traffic. when you do this 2fa goes hand in hand. ----- An app-based VPN uses a dedicated application on your device (phone, computer) to create a secure, encrypted connection (tunnel) for your internet traffic, offering privacy, security, and bypassing restrictions, with popular providers like ExpressVPN and Proton VPN offering easy-to-use apps for various platforms. Key features include Per-App VPN, letting specific apps use the tunnel while others don't (great for work), and Split Tunneling, allowing you to choose which apps go through the VPN or not. Edited January 7 by bandit8623
bandit8623 213 Posted January 8 Posted January 8 (edited) On 1/5/2026 at 2:11 PM, muzicman0 said: Not really. I would hate to have to explain to my mom from 1700 miles away how to set up a VPN. I use Tailscale, which is super easy, but, no way would she be able to do it. Plus, is Roku still a thing? I doubt there is a VPN for it. not sure about AppleTV devices. you are completely missing the point. when you log into emby and use 2auth that would be itself the vpn. nothing special. it would all be built into the app client/server. obviously this is just a theory on how to do it. if you use any sort of other vpn seperatley you should be using 2FA for that as well. so why not make all in 1 Edited January 8 by bandit8623
87racer 1 Posted January 15 Posted January 15 On 1/8/2026 at 8:14 AM, bandit8623 said: you are completely missing the point. when you log into emby and use 2auth that would be itself the vpn. nothing special. it would all be built into the app client/server. obviously this is just a theory on how to do it. if you use any sort of other vpn seperatley you should be using 2FA for that as well. so why not make all in 1 This idea is pointless. Establishing an entire VPN tunnel using Emby players as a client and the server as the server is far more complicated than just using proper TLS with certificates. You gain literally no advantage by using a protocol like WG or IPSEC instead of TLS in this manner. Just implement proper 2FA using TOTP. It should take less than a day to implement this using widely available libraries and most users already use TOTP for other things. Passkeys would also be extremely easy to implement and use but have slightly lower adoption and user acceptance so far. 1 1
_Matt 3 Posted January 21 Posted January 21 On 12/27/2025 at 9:36 AM, adrianwi said: The emby team should be ashamed by this thread. Almost 8 years since this was started I just created an account to post here about the absurdity of this not existing yet. I purchases premiere so I could migrate from Plex to Emby, but I didn't realize until too late that 2FA is not even an option for an admin. I was so focused on evaluating the other features, recreating libraries, testing the apps, etc. I really like Emby, but I will not be able to use it until 2FA is added as an option. I'm not going to put my data at risk because adding 2FA to an internet exposed application is not a priority for this team. I don't need it for normal users, but admin accounts 100% need it. I guess at the end of the day, the Emby team already received my money for a lifetime license, so why would they care? I guess I'll just power down my Emby LXC and stick with Plex until this feature is added. Honestly pretty annoyed at this whole thing. 1
raudraido 48 Posted January 21 Posted January 21 5 hours ago, _Matt said: I just created an account to post here about the absurdity of this not existing yet. I purchases premiere so I could migrate from Plex to Emby, but I didn't realize until too late that 2FA is not even an option for an admin. I was so focused on evaluating the other features, recreating libraries, testing the apps, etc. I really like Emby, but I will not be able to use it until 2FA is added as an option. I'm not going to put my data at risk because adding 2FA to an internet exposed application is not a priority for this team. I don't need it for normal users, but admin accounts 100% need it. I guess at the end of the day, the Emby team already received my money for a lifetime license, so why would they care? I guess I'll just power down my Emby LXC and stick with Plex until this feature is added. Honestly pretty annoyed at this whole thing. Try Jellyfin, its free. You can thank me later 1
Q-Droid 989 Posted January 21 Posted January 21 10 hours ago, _Matt said: I just created an account to post here about the absurdity of this not existing yet. I purchases premiere so I could migrate from Plex to Emby, but I didn't realize until too late that 2FA is not even an option for an admin. I was so focused on evaluating the other features, recreating libraries, testing the apps, etc. I really like Emby, but I will not be able to use it until 2FA is added as an option. I'm not going to put my data at risk because adding 2FA to an internet exposed application is not a priority for this team. I don't need it for normal users, but admin accounts 100% need it. I guess at the end of the day, the Emby team already received my money for a lifetime license, so why would they care? I guess I'll just power down my Emby LXC and stick with Plex until this feature is added. Honestly pretty annoyed at this whole thing. You created an account just to tell everyone that you paid for lifetime before even checking if Emby has a feature that is so important that now you can't use the product. Nice trolling, but if true it says more about you than it does about Emby. 1
brothom 177 Posted January 21 Posted January 21 3 minutes ago, Q-Droid said: You created an account just to tell everyone that you paid for lifetime before even checking if Emby has a feature that is so important that now you can't use the product. Nice trolling, but if true it says more about you than it does about Emby. Regardless of him being a troll or not, the matter still stands. 2FA would be a nice extra security layer to add to our servers. 1 2
Q-Droid 989 Posted January 21 Posted January 21 9 minutes ago, brothom said: Regardless of him being a troll or not, the matter still stands. 2FA would be a nice extra security layer to add to our servers. I agree it would be nice and sixteen pages make it clear to the devs that users want MFA for Emby. If they decide to implement we can expect more than sixteen pages of users unhappy with the method chosen but we have to wait for the bridge to get built first. 2
raudraido 48 Posted January 21 Posted January 21 59 minutes ago, Q-Droid said: I agree it would be nice and sixteen pages make it clear to the devs that users want MFA for Emby. If they decide to implement we can expect more than sixteen pages of users unhappy with the method chosen but we have to wait for the bridge to get built first. rather it seems those posts are forwarded directly to /dev/null 1
muzicman0 84 Posted January 21 Posted January 21 3 hours ago, Q-Droid said: You created an account just to tell everyone that you paid for lifetime before even checking if Emby has a feature that is so important that now you can't use the product. Nice trolling, but if true it says more about you than it does about Emby. I disagree. His point was that it should be expected that software like this has 2fa built in. It never even occurred to him that it wouldn't be. 3
_Matt 3 Posted January 23 Posted January 23 On 1/21/2026 at 7:01 AM, brothom said: Regardless of him being a troll or not, the matter still stands. 2FA would be a nice extra security layer to add to our servers. I am not a troll. I didn't think verifying 2FA was a thing I needed to do in 2026... 2
adrianwi 279 Posted January 30 Posted January 30 On 31/01/2018 at 00:04, xorinzor said: I'd really like to have 2 Factor Authentication added to the login screen. It's just this (optional) extra layer of security to help secure the server (which, especially if people use camera uploads) contains pretty private data. There are for every type of programming language quite a few libraries available, so implementation on a server shouldn't be too hard to realise On 31/01/2018 at 04:28, Luke said: Yea it could be possible for the future. This hasn't aged well. 9 years, 16 pages and 129 likes. A classic example of NOT listening to your user feedback 2
Soki 9 Posted February 1 Posted February 1 (edited) +1 for (optional) 2FA (for all accounts, not just admins). This is a layer of security which has to be added everywhere imho. I've seen logins into emby admin accounts where I am 100% certain the password (and name of account) were not known to anybody (and it was a secure password). Theres always a chance that there are ways to get in, or will be ways to get in with future updates, so using 2FA should never be a question of preference or taste, but of a healthy security awarness. Thanks. Edited February 1 by Soki
bandit8623 213 Posted February 1 Posted February 1 (edited) 2 hours ago, Soki said: +1 for (optional) 2FA (for all accounts, not just admins). This is a layer of security which has to be added everywhere imho. I've seen logins into emby admin accounts where I am 100% certain the password (and name of account) were not known to anybody (and it was a secure password). Theres always a chance that there are ways to get in, or will be ways to get in with future updates, so using 2FA should never be a question of preference or taste, but of a healthy security awarness. Thanks. There is actually zero way in for admin if you don't allow admin login remotely...that's fact. Unless of course your local lan is compromised...time for you to get your security fixed Edited February 1 by bandit8623 1
Soki 9 Posted February 1 Posted February 1 You should not give any advise without knowing the details. You dont know my setup and your assumption in this case is wrong. Furthermore is this a feature request thread and this request obviously is something a lot of users would greatly appreciate. 1
bandit8623 213 Posted February 1 Posted February 1 (edited) 3 minutes ago, Soki said: You should not give any advise without knowing the details. You dont know my setup and your assumption in this case is wrong. Furthermore is this a feature request thread and this request obviously is something a lot of users would greatly appreciate. dont give give false narratives for the request. thats all we ask. i have also asked for 2fa. i just dont gaslight people for it Edited February 1 by bandit8623 1
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now