[Feature Request] 2FA

[LevinCeglie]

Hey there! So far I really enjoyed using your application. Great job! But there is one feature that I would really like seeing implemented, namely Two Factor Authentication. Since I want to listen to my audiobooks from everywhere I have to expose the service. Consequently the only thing keeping a lock on the root user is a password.

Kind regards

[advplyr]

I've not setup 2FA for a self-hosted project before. I know Plex has this but I suspect they use their own servers and they are closed source (haven't used it though). Do you use any open source self-hosted software that can be referenced?

[typhooncarr]

If we could link with something like Authelia, Keycloak, etc that would be great

[mx03]

For 2fa: https://www.npmjs.com/package/speakeasy

But before implement 2fa the login system should made more secure. The token that authorize the user is always the same after every login instead a random session id.

[advplyr]

I think enhancing the auth should be a priority, at a minimum improving the token based auth. Speakeasy does look like an easy solution for adding TOTP w/ QR code 2FA.

I'm not sure how to integrate with Authelia or Keycloak. They would sit in front of Abs and users would authenticate, but how does Abs retrieve the sign-in info?

As far as the api tokens go, refreshing them on every login could be problematic when moving between mobile and the web app. Adding an expiration with a configurable expiration time may be the best option there. Also, android auto doesn't allow signing in, so this could be frustrating when tokens expire while listening in AA.

[NorthhtroN]

Not sure if you have looked into this so apologies if this is stuff you know but look into SAML, oauth and openid connect.

Basically abs would allow external identity providers to authenticate a user and provide abs with a token with info about the uses (username, role, etc). Since abs sees this identity provides as trusted a user coming from the provided is allowd access.

You can get more complex and link accounts/auto create users, etc, but the main benefits is that users who have rolled their own SSO system can use 1 login accross multiple services and login once the provider will pass the auth token to abs when a user navigates

Abs would be considered a service provided in the oauth flow

[MidnightSnowleopard]

There is already work being done on this very thing. #351

It's still ongoing and will probably take a bit before it's merged and fully stable but it has already started. Given how quickly this project has already progressed I wouldn't be surprised if this was sooner rather than later.

[NorthhtroN]

Thanks @MidnightSnowleopard I guess that is what i get for commenting on a 2 month feature request :)

[davidLeimroth]

@MidnightSnowleopard @NorthhtroN My time was super limited recently and it'll be like that for another couple of days. So if you have experience with oidc, feel free to contribute to #351. Being able to centrally manage users for selfhosted apps is a big plus point for everyone hosting multiple apps.

[genebean]

Just wanted to add how awesome adding totp based 2FA would be.

[DDriggs00]

Some methods for supporting 2fa will also open up support for sso, so I thought I'd link that feature request

[jrhedman]

I know firefly-iii has 2FA as an option and is an open source project that's self hosted. I'll try to to take a look into this when I get a chance and see what is used there and if it's possible to use a similar implementation here.

[michaelkrieger]

Something like Authelia adds Remote-User and Remote-Groups HTTP headers as the verify middleware is trigged. This would let you get a trusted username of the currently logged in user. This would be on the server-side of things. You'd then need the iOS/Android app to identify when authentication is required and open a web page so you can do the web-based authentication and the cookies can be grabbed. It would then need to pass the cookie with future requests. This is probably the simple way. Most other authentication backends work the same way.

The complicated/future-proof way would be to do Oath2 authentication, which is again supported by things like Authelia. Same idea that the client apps would need to interface with this to prompt the user.

[JohanPotgieter]

It has been 18 months since this request was logged. Is it still in the works or has it been abandoned? This is a vital feature today as more and more systems are hacked and self-hosted systems are most vulnerable as most of us don't have "system admin" level knowledge to keep our systems secure.

[BlackHoleFox]

To interject, what do you think makes 2FA/MFA on its own a "vital feature" for a self-hosted web server? Is there a specific threat you are hoping to remove? A random password, some kind of autofill either from your OS, browser, or third-party password manager, and server TLS gets you a long way. The first two are not only for system admins. MFA would not save you from a failure of another of the prior two (MFA setup secrets are vulnerable without TLS, for example).

[JohanPotgieter]

To interject, what do you think makes 2FA/MFA on its own a "vital feature" for a self-hosted web server? Is there a specific threat you are hoping to remove? A random password, some kind of autofill either from your OS, browser, or third-party password manager, and server TLS gets you a long way. The first two are not only for system admins. MFA would not save you from a failure of another of the prior two (MFA setup secrets are vulnerable without TLS, for example).

I don't mean to suggest that any one security measure will make you safe. You have to use a series of measures to try and keep your system safe. This will add another layer of protection that will contribute to the whole security profile of a server. There is no silver bullet for server security. I still feel that we should strive to make each system as secure as possible.

[advplyr]

This is still planned

[turnercore]

Audiobookshelf is not hosting vital or sensitive data. A password with brute force protection is plenty secure enough for this kind of application, in my opinion. If you make backups of your server and data (as you should) then who even cares if someone gets into the app?

It would be cool to allow integration with Authelia or some SSO/2FA app that you can run as a middleware for users who care, but it doesn't seem like an urgent enhancement to me. Certainly add it if it's easy, but I wouldn't spend a lot of time on 2FA when there are lots of other feature requests and bug fixes that would be of higher impact. That's my unasked for two cents 🪙🪙

[Sapd]

This is now possible using SSO. You can set up SSO and disable password login. (and ofc set up 2FA in your SSO provider)

https://github.com/advplyr/audiobookshelf/issues/998

[advplyr]

This is supported through OIDC. That gives more flexibility than implementing some specific 2FA auth.