muzicman0 84 Posted February 1 Posted February 1 2 hours ago, bandit8623 said: There is actually zero way in for admin if you don't allow admin login remotely...that's fact. Unless of course your local lan is compromised...time for you to get your security fixed But what if I want remote login for the admin account, or what if I need remote login for the admin account? I travel a ton. Sometimes the server needs managing even when I am not at home, and sometimes my PC isn't handy, which means a VPN isn't a solution for 'local' access. The point is that we need 2fa. it doesn't make sense for it to be admins only as long as it is optional.
bandit8623 213 Posted February 1 Posted February 1 12 minutes ago, muzicman0 said: But what if I want remote login for the admin account, or what if I need remote login for the admin account? I travel a ton. Sometimes the server needs managing even when I am not at home, and sometimes my PC isn't handy, which means a VPN isn't a solution for 'local' access. The point is that we need 2fa. it doesn't make sense for it to be admins only as long as it is optional. vpn currently. and thats why really only the admin needs 2fa 1
Soki 9 Posted February 1 Posted February 1 I did not say anything about any setup. Just that i wish there was a f2a option. May i ask, who is "we"? Are you talking for the emby dev team?
muzicman0 84 Posted February 1 Posted February 1 41 minutes ago, bandit8623 said: vpn currently. and thats why really only the admin needs 2fa only that isn't always possible. But again, if it's optional, why would it matter to you. For those that want it for Admin only, fine. For those of us who don't want anyone logging into our server admin or not, we want it on everyone, we would also have that option.
bandit8623 213 Posted February 1 Posted February 1 (edited) 5 minutes ago, muzicman0 said: only that isn't always possible. But again, if it's optional, why would it matter to you. For those that want it for Admin only, fine. For those of us who don't want anyone logging into our server admin or not, we want it on everyone, we would also have that option. it doesnt just matter to me what you do. im telling you what is safe ATM. and again im fully for 2fa. @soki said they had their admin account got logged into. if you have had an unauthed login you would need to re-eval your security practices currently. and the current safest thing is to not allow admin remotely. can you answer why a vpn is not always possible? if you are hosting emby you can then easily host your own vpn for free. Edited February 1 by bandit8623 1 1
muzicman0 84 Posted February 1 Posted February 1 Well, clearly 2fa isn't going to happen any time soon based on how long this thread has been going on, so I guess for now, all the arguments are pointless.
bandit8623 213 Posted February 1 Posted February 1 10 minutes ago, muzicman0 said: Well, clearly 2fa isn't going to happen any time soon based on how long this thread has been going on, so I guess for now, all the arguments are pointless. not pointless. can be used to at least educate people to not just leave admin open to web.. clearly seems people are still doing this. 1 1
bandit8623 213 Posted February 9 Posted February 9 Just sharing what emby should be working on. HomeAssistant supports it. Opnsense supports it. Many other apps support as well. It also does not need to be mandatory. TOTP Auth https://www.loginradius.com/blog/engineering/what-is-totp-authentication ---------------------- https://www.home-assistant.io/docs/authentication/multi-factor-auth/ https://docs.opnsense.org/manual/how-tos/two_factor.html 1
Harry0 2 Posted Tuesday at 07:09 PM Posted Tuesday at 07:09 PM I’ve successfully implemented a secure authentication flow using the Emby LDAP plugin and Authentik. My environment runs on Linux Debian 12/13. (Please note: this guide is Linux-specific; I cannot provide support for Windows environments). The setup relies on a hardened network structure and precise LDAP mapping. Key takeaways: Emby Configuration: Install the LDAP-plugin from the Emby Catalog (must have a premier license). Set the User Search Filter to (sAMAccountName={0}) and ensure the Bind DN matches your Authentik admin user exactly. Network & Firewall: Authentik resides in a DMZ, while Emby is in the LAN. A firewall rule (e.g., in OPNsense/pfsense) must allow traffic on port 389 from Emby to Authentik. LDAP Outpost: The Embedded Outpost must be active and linked to the Emby application in Authentik. 2FA Implementation: Authentik handles MFA over LDAP via the "password semicolon" method. Users enter credentials in Emby as password;123456. NTP Sync: Precise time synchronization across all devices is mandatory for TOTP tokens to validate. Security (GeoIP): In my firewall, I’ve implemented GeoIP filtering to only allow traffic from my own country to my Nginx server, significantly reducing the attack surface. Jellyseerr Integration: By using Emby as the authentication provider for Jellyseerr, users are automatically required to use their 2FA tokens there as well, simplifying the workflow. I hope this contributes to a solution for those seeking 2FA for Emby. A step-by-step guide (documented with AI assistance) here: Emby LDAP Authentication with 2FA using Authentik 1
muzicman0 84 Posted Tuesday at 09:13 PM Posted Tuesday at 09:13 PM 2 hours ago, Harry0 said: I’ve successfully implemented a secure authentication flow using the Emby LDAP plugin and Authentik. My environment runs on Linux Debian 12/13. (Please note: this guide is Linux-specific; I cannot provide support for Windows environments). The setup relies on a hardened network structure and precise LDAP mapping. Key takeaways: Emby Configuration: Install the LDAP-plugin from the Emby Catalog (must have a premier license). Set the User Search Filter to (sAMAccountName={0}) and ensure the Bind DN matches your Authentik admin user exactly. Network & Firewall: Authentik resides in a DMZ, while Emby is in the LAN. A firewall rule (e.g., in OPNsense/pfsense) must allow traffic on port 389 from Emby to Authentik. LDAP Outpost: The Embedded Outpost must be active and linked to the Emby application in Authentik. 2FA Implementation: Authentik handles MFA over LDAP via the "password semicolon" method. Users enter credentials in Emby as password;123456. NTP Sync: Precise time synchronization across all devices is mandatory for TOTP tokens to validate. Security (GeoIP): In my firewall, I’ve implemented GeoIP filtering to only allow traffic from my own country to my Nginx server, significantly reducing the attack surface. Jellyseerr Integration: By using Emby as the authentication provider for Jellyseerr, users are automatically required to use their 2FA tokens there as well, simplifying the workflow. I hope this contributes to a solution for those seeking 2FA for Emby. A step-by-step guide (documented with AI assistance) here: Emby LDAP Authentication with 2FA using Authentik Does this give an option to 'not require 2fa on this device' after successfully authenticating?
Harry0 2 Posted Tuesday at 10:28 PM Posted Tuesday at 10:28 PM 57 minutes ago, muzicman0 said: Does this give an option to 'not require 2fa on this device' after successfully authenticating? Personally I would let the application do what they do best. Meaning that emby is very perfect for showing movies and TV series etc, not security. Security is a very different and different issues that other applications are are much better at what they do. I think that emby should made a bit more plugins for authentications type. Maybe like Openid Connect, SAML or Oauth. Then people can make there own choice how they let users connect secure on țheir ten platform. Also, I never let an application like emby or other apps connect directly to the Internet using only a NAT. Then within few hours you definitely get hacked or infiltrate on your local LAN. Always use a reverse proxy and DMZ. And if that it too complicated, just use a VPN like wireguard or openvpn. Hope this close the issue regarding "does emby needs a MFA/2FA". 1
nospotify 184 Posted Tuesday at 10:39 PM Posted Tuesday at 10:39 PM Sorry, you're not the hall monitor. Lots of users want 2FA in Emby, the way it is in virtually every other major app we use these days. 1
Harry0 2 Posted Tuesday at 10:40 PM Posted Tuesday at 10:40 PM On 2/1/2026 at 7:02 PM, bandit8623 said: it doesnt just matter to me what you do. im telling you what is safe ATM. and again im fully for 2fa. @soki said they had their admin account got logged into. if you have had an unauthed login you would need to re-eval your security practices currently. and the current safest thing is to not allow admin remotely. can you answer why a vpn is not always possible? if you are hosting emby you can then easily host your own vpn for free. The problem with a vpn is the firewalls of the place where you are. If you are in a different country and you have no data, you must rely on the public WiFi. But many public WiFi has only certain ports open. Usually it's the common ports like 80/443. Therefore a vpn connection can not be made thru these firewalls. I had that same issue when I was on holiday. 1
bandit8623 213 Posted Tuesday at 10:42 PM Posted Tuesday at 10:42 PM Just now, Harry0 said: The problem with a vpn is the firewalls of the place where you are. If you are in a different country and you have no data, you must rely on the public WiFi. But many public WiFi has only certain ports open. Usually it's the common ports like 80/443. Therefore a vpn connection can not be made thru these firewalls. I had that same issue when I was on holiday. true, but thats not very likely. and you can change your vpn ports. openvpn you can pick what you want..
Harry0 2 Posted Tuesday at 10:46 PM Posted Tuesday at 10:46 PM (edited) 11 minutes ago, nospotify said: Sorry, you're not the hall monitor. Lots of users want 2FA in Emby, the way it is in virtually every other major app we use these days. If emby does not support 2FA (at this moment or ever), look at different solutions like I did. You can demand a lot from an application but if the developers don't like it or want to implement it then tough. You're free to go to other applications like emby. Edited Tuesday at 10:51 PM by Harry0
Harry0 2 Posted Tuesday at 10:49 PM Posted Tuesday at 10:49 PM 6 minutes ago, bandit8623 said: true, but thats not very likely. and you can change your vpn ports. openvpn you can pick what you want.. That's true as well. But you don't know at that moment which port you can use. And while you found out while you are at a location, you can't adjust it cause you can't log in. 1
bandit8623 213 Posted Tuesday at 10:58 PM Posted Tuesday at 10:58 PM 8 minutes ago, Harry0 said: That's true as well. But you don't know at that moment which port you can use. And while you found out while you are at a location, you can't adjust it cause you can't log in. the real issue would be if a place blocked the emby port....then only way around would be vpn of your choosing
Harry0 2 Posted Tuesday at 11:01 PM Posted Tuesday at 11:01 PM 1 minute ago, bandit8623 said: the real issue would be if a place blocked the emby port....then only way around would be vpn of your choosing I am not using my emby port... I watch my emby with only port 443 (https) . In the Emby app I'm not even give a port number. I have to erase it else it doesn't work.
bandit8623 213 Posted Tuesday at 11:11 PM Posted Tuesday at 11:11 PM 8 minutes ago, Harry0 said: I am not using my emby port... I watch my emby with only port 443 (https) . In the Emby app I'm not even give a port number. I have to erase it else it doesn't work. thats fine, but you dont need a vpn unless you connect with admin account imho. so in your case if vpn doesnt work you can still watch. but yes 2fa would be nice
Harry0 2 Posted Tuesday at 11:17 PM Posted Tuesday at 11:17 PM Just now, bandit8623 said: thats fine, but you dont need a vpn unless you connect with admin account imho. so in your case if vpn doesnt work you can still watch. but yes 2fa would be nice I'm fine. I don't have any issues.. I have vpn as well for emby and my other systems. But I'm watching emby with the app and browser with 2fa now with or without vpn. MY emby users only use the Emby app or Web emby with 2fa... I don't have any problems and I'm secure.
bandit8623 213 Posted Tuesday at 11:20 PM Posted Tuesday at 11:20 PM (edited) 3 minutes ago, Harry0 said: I'm fine. I don't have any issues.. I have vpn as well for emby and my other systems. But I'm watching emby with the app and browser with 2fa now with or without vpn. MY emby users only use the Emby app or Web emby with 2fa... I don't have any problems and I'm secure. yep but its not built in. and linux only. so i say thanks to you. this doesnt help everyone. hopefully this gets emby in the right direction. im just as secure as you with no 2fa no admins allowed outside lan Edited Tuesday at 11:21 PM by bandit8623
Harry0 2 Posted Tuesday at 11:38 PM Posted Tuesday at 11:38 PM 3 minutes ago, bandit8623 said: yep but its not built in. and linux only. so i say thanks to you. this doesnt help everyone. hopefully this gets emby in the right direction. im just as secure as you with no 2fa no admins allowed outside lan To be honest.. Personally I would skip 2FA TOTP all together. I would concentrate more on other security measures. 2FA is not that secure anymore. Hackers steal your cookie session if you work in a webbrowser in emby and they still get in. Think if any, the development should concentrate more on passkey to get this implemented.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now