2-Factor Authentication (2FA)

February 16, 2022

Is there any update?

February 16, 2022

18 minutes ago, Skyfay said:

Is there any update?

If there was, it would be in the release notes for the server.

February 16, 2022

2 hours ago, CBers said:

If there was, it would be in the release notes for the server.

is it planned at all? Because for me that is a considerable security risk. And it doesn't seem too difficult to implement.

February 16, 2022

49 minutes ago, Skyfay said:

is it planned at all? Because for me that is a considerable security risk. And it doesn't seem too difficult to implement.

Can you expand on why you think this is a considerable security risk ?

For any app holding personal or financial information, then yes, 2FA is necessary - but this is a personal media server.

I would personally be more concerned that Emby does not enforce the use of password strength, does not enforce any sort of brute force lockout nor does it even force the use of HTTPS.

They are far more of a 'priority' than 2FA is imho.

February 16, 2022

2 hours ago, rbjtech said:

Can you expand on why you think this is a considerable security risk ?

For any app holding personal or financial information, then yes, 2FA is necessary - but this is a personal media server.

I would personally be more concerned that Emby does not enforce the use of password strength, does not enforce any sort of brute force lockout nor does it even force the use of HTTPS.

They are far more of a 'priority' than 2FA is imho.

In principle, every service that can be accessed from the Internet is a risk. If someone gets to the administrator account, he can do a lot of mischief.
Sorry but 2fa should be standard today...

February 16, 2022

8 minutes ago, Skyfay said:

Sorry but 2fa should be standard today...

You try and convince the millions of people around the world that don't want to use it, or don't even know what it is.

February 16, 2022

7 minutes ago, CBers said:

You try and convince the millions of people around the world that don't want to use it, or don't even know what it is.

why don't you just give us the option to use it instead of telling the people in this thread wanting the feature since 2018 that they don't need it and it is not a security problem etc.?

Whats the problem of implementing it and let the users decide if they want/need it or not?

February 16, 2022

5 minutes ago, Painkiller8818 said:

why don't you just give us the option to use it instead of telling the people in this thread wanting the feature since 2018 that they don't need it and it is not a security problem etc.?

Whats the problem of implementing it and let the users decide if they want/need it or not?

There is no problem with implementing it.

February 16, 2022

1 minute ago, Luke said:

There is no problem with implementing it.

great, so is it coming in the next stable version?

Edited February 16, 2022 by Painkiller8818

February 16, 2022

4 minutes ago, Painkiller8818 said:

great, so is it coming in the next stable version?

No, but it's possible for future updates.

February 16, 2022

44 minutes ago, Skyfay said:

In principle, every service that can be accessed from the Internet is a risk. If someone gets to the administrator account, he can do a lot of mischief.
Sorry but 2fa should be standard today...

I agree - and I'm not against the idea (for remote Admin), I'm simply stating that there are other fundamental items that are at a greater risk to the average Emby user that need fixing first.

What would be the point of 2FA if I could simply inject an authorised string into the reply from lack of an encrypted authorisation ?

What would be the point of 2FA if I had no password at all ? (still allowed in Emby) At this point it's actually not 2FA at all .. lol

What if I set password as 'password' - same as above, not 2FA at all.

What if I set a password with a very low entropy, as there is no password lockout, I can break it in seconds... so we are back to no 2FA again.

You see my point ?

Internet security is based on layers, get the base layers correct, then you add more optional layers (such as 2FA) - until then, it is pointless and you are actually putting people into a false sense that there IS security, when infact there isn't ...

Edited February 16, 2022 by rbjtech

February 16, 2022

18 minutes ago, rbjtech said:

I agree - and I'm not against the idea (for remote Admin), I'm simply stating that there are other fundamental items that are at a greater risk to the average Emby user that need fixing first.

What would be the point of 2FA if I could simply inject an authorised string into the reply from lack of an encrypted authorisation ?

What would be the point of 2FA if I had no password at all ? (still allowed in Emby) At this point it's actually not 2FA at all .. lol

What if I set password as 'password' - same as above, not 2FA at all.

What if I set a password with a very low entropy, as there is no password lockout, I can break it in seconds... so we are back to no 2FA again.

You see my point ?

Internet security is based on layers, get the base layers correct, then you add more optional layers (such as 2FA) - until then, it is pointless and you are actually putting people into a false sense that there IS security, when infact there isn't ...

That is all very interesting and so on but...

We want it! That is a reason enough.

February 16, 2022

30 minutes ago, rbjtech said:

I agree - and I'm not against the idea (for remote Admin), I'm simply stating that there are other fundamental items that are at a greater risk to the average Emby user that need fixing first.

What would be the point of 2FA if I could simply inject an authorised string into the reply from lack of an encrypted authorisation ?

What would be the point of 2FA if I had no password at all ? (still allowed in Emby) At this point it's actually not 2FA at all .. lol

What if I set password as 'password' - same as above, not 2FA at all.

What if I set a password with a very low entropy, as there is no password lockout, I can break it in seconds... so we are back to no 2FA again.

You see my point ?

Internet security is based on layers, get the base layers correct, then you add more optional layers (such as 2FA) - until then, it is pointless and you are actually putting people into a false sense that there IS security, when infact there isn't ...

Disallowing users from shooting themselves in the foot is different than disallowing safety. We don't know all the different scenarios that users have. For example, having a bad password is ok if the user is LAN only. Perhaps there should just be help text that would mitigate footguns.

MFA significantly reduces the risk of accounts being compromised. If someone doesn't agree with that, we should have a different discussion, but I'm assuming that everyone understands this. Governments and businesses force MFA because they have something to lose. I hear over and over how organizations that don't use MFA have issues with account compromise. My point is that I feel like I have something to lose. If Emby is compromised, someone is in my network with more important things than what Emby has. Emby is the gateway into my network which has all sorts of things that I don't want to be in the hands of anyone else. All the other apps that I expose to the WAN understand this and have MFA.

February 16, 2022

21 minutes ago, metsuke said:

All the other apps that I expose to the WAN understand this and have MFA.

..and I suspect they are all using HTTPS/TLS1.2 and are enforcing a decent entropy password in COMBINATION with MFA, making for a reasonably secure front door ?

February 16, 2022

24 minutes ago, metsuke said:

Emby is the gateway into my network which has all sorts of things that I don't want to be in the hands of anyone else.

If you are serious about security, then Emby should NOT be the gateway onto your network - put it in it's own isolated subnet/vlan. MFA or not, if the code/toolset is compromised then you have nothing further to protect you.

February 16, 2022

3 minutes ago, rbjtech said:

If you are serious about security, then Emby should NOT be the gateway onto your network - put it in it's own isolated subnet/vlan. MFA or not, if the code/toolset is compromised then you have nothing further to protect you.

Most users will not be able to cordon their apps sufficiently to protect against a code/toolset compromise, though if that is the issue then nobody should use Emby. What is one of the main points of this thread, and why so many people are vying for the necessity of MFA is that account compromise is the most common and simplest vector of attack against apps. MFA almost completely nullifies these threats.

February 16, 2022

28 minutes ago, metsuke said:

Most users will not be able to cordon their apps sufficiently to protect against a code/toolset compromise, though if that is the issue then nobody should use Emby. What is one of the main points of this thread, and why so many people are vying for the necessity of MFA is that account compromise is the most common and simplest vector of attack against apps. MFA almost completely nullifies these threats.

So you wish to force your end users to have to use 2FA each time they load the app to watch media?

February 16, 2022

6 minutes ago, ebr said:

So you wish to force your end users to have to use 2FA each time they load the app to watch media?

That's a good question. I may only want to force it for admins at first and those who can modify/delete. Someone I don't know watching my media is ok by me, but if they try to download the entire catalog at once, then their stay may be more problematic.

February 16, 2022

I also would like to see 2FA in Emby. I said some years ago also in this thread that it is for me a security risk mainly because Emby has access to my files and permission to delete them. But I made my library read only for Emby and now I do not care not so much.

Edited February 16, 2022 by raudraido

February 17, 2022

If 'there is not problem implementing it' and it's something requested over 4 years ago which users still keep asking for, surely the easiest solution is to just do it?

I'd certainly use it on my admin account and possibly a few users too!

February 17, 2022

9 hours ago, ebr said:

So you wish to force your end users to have to use 2FA each time they load the app to watch media?

No, but securing the admin users with write and delete permissions to allow them to secure the logins.

We don't want to FORCE all users to have it enabled, but the possibility to enable it for specific accounts.

Hopefully for normal users if they activate it, there is a way to enable "don't ask again for this device" eg. on a TV.

But it is not really for normal users, we want this more for users with delete permissions.

Thanks

February 17, 2022

6 hours ago, adrianwi said:

surely the easiest solution is to just do it?

Hi. This is something that would impact all apps (and anything that uses the API) on all platforms and completely changes the flow of authentication. So while, there isn't a "problem" implementing it - it is far from a simple throw-in.

February 17, 2022

48 minutes ago, ebr said:

Hi. This is something that would impact all apps (and anything that uses the API) on all platforms and completely changes the flow of authentication. So while, there isn't a "problem" implementing it - it is far from a simple throw-in.

Yes, that's why we all love you so much , because you figure out the hard stuff.

February 17, 2022

I'll throw in my vote for 2FA. Not necessarily because I feel my network is insecure or the Emby software needs it, but mostly for peace of mind. I can understand why it hasn't been a priority though, weighing the man hours developing/testing such a substantial change versus other more important or even just lower hanging fruit.

EDIT: I will say it'd be cool if there were more frequent updates/timelines on exactly how Emby's development time is being spent though. As far as major new features go... not necessarily the incremental update notes. It'd probably calm people down a little bit when popular feature requests aren't handled timely enough.

Edited February 17, 2022 by Dreakon13

February 18, 2022

First time poster sticking my nose into this thread

Though I don't see MFA as a cure-all for emby's security woes (however minor they may be), I also have some concerns around exposing emby's web server directly on the net. My solution was to deploy what I call emby satellites for my daughters to connect to my emby server.

Raspberry pi using an ssh tunnel to allow their local network devices to connect to my emby. Secure (based on ssh keys), keeps my emby server safely behind my firewall, fast (ssh tunneling works well even on a pi 3b+). Also saves me the trouble of having to maintain servers for each of their homes. They both use Rokus.

I'm experimenting with putting emby theater on a pi 4 and using the same tunnel to connect it to my house. Works well on a LAN, but some playback issues across the internet -- I'll get them figured out. FWIW, I also tunnel emby across an ipsec vpn (pfsense) to my beach house and play content directly from there to my smartcast/chromecast devices.

tod

Sign In

2-Factor Authentication (2FA)

Recommended Posts

Skyfay 19

CBers 7450

Skyfay 19

rbjtech 5283

Skyfay 19

CBers 7450

Painkiller88 248

Luke 42077

Painkiller88 248

Luke 42077

rbjtech 5283

ertagon2 44

metsuke 27

rbjtech 5283

rbjtech 5283

metsuke 27

ebr 16169

metsuke 27

raudraido 48

adrianwi 279

Painkiller88 248

ebr 16169

ertagon2 44

Dreakon13 143

toddaniels 7

Create an account or sign in to comment

Create an account

Sign in

Activity