Features

Features

A complete authentication + hardening layer for Jellyfin in a single plugin — no separate identity stack, no LDAP outpost, no proxy-auth header juggling.

---

Authentication factors

• TOTP (RFC 6238) — works with Google Authenticator, Authy, 1Password, Microsoft Authenticator, Bitwarden, etc.
• Passkeys / WebAuthn — Face ID, Touch ID, Windows Hello, YubiKey or any FIDO2 authenticator. Phishing-resistant (bound to your domain). Replaces the code step, not the password.
• Recovery codes — 10 single-use codes at enrollment, stored as PBKDF2-SHA256 hashes, shown once, downloadable as PDF.
• Email OTP — configurable SMTP fallback; codes expire in 5 minutes, single-use. See Email / SMTP.
• App passwords — revocable long random passwords for native apps (stored as PBKDF2-SHA256 hashes).
• Per-device trust — signed HTTP-only cookie (HMAC-SHA256, 30-day expiry, SameSite=Strict).

OIDC / SSO sign-in

Google, Microsoft/Entra, Apple, Authelia, Authentik, Keycloak, PocketID, Cloudflare Access, or any OIDC-compliant IdP. See the full OIDC / SSO guide.

• PKCE (S256), id_token signature + issuer + audience + nonce validation.
• Optional AMR-based IdP-MFA enforcement and group allowlists.
• Role → library access — map IdP groups/roles to libraries (#65).
• Profile-picture sync — mirror the IdP avatar into Jellyfin (#66).
• Email auto-fill + configurable email claim — populate the Jellyfin email from the IdP on sign-in (#70, v2.5.11).
• Custom login button — per-provider button text + icon/logo (#69, v2.5.11).
• Disable password sign-in — OIDC-only mode with admin/LAN/CIDR escape hatches (#69, v2.5.11).
• Clear sign-in error messages — failed SSO explains why instead of bouncing silently (v2.5.11).
• Account chooser (prompt=select_account), private/LAN endpoints, OIDC step-up, and hide built-in login buttons for OIDC-only deployments.
• Login-page provider buttons; users self-manage linked accounts from Setup.

Enforcement

• Session-level enforcement via ISessionManager.SessionStarted — works for all clients, not just web.
• API-level request blocking — even valid Jellyfin tokens get 401 until 2FA is completed.
• Per-IP rate limiting on verify (10/min) and email send (5/5min).
• Per-challenge attempt limit (5 attempts before the challenge is burned).
• Per-user lockout after N failed attempts (configurable; counts wrong passwords and codes).
• LAN bypass (configurable CIDR ranges) so local devices can skip 2FA.
• Force-2FA-for-all-users mode.

Account protection

See the full Account Protection guide.

• Account lockout with admin-exempt option (anti-DoS).
• Empty-password blocking for every sign-in.
• Password recovery by email — one-time, single-use, rate-limited reset link, SMTP-gated (#71, v2.5.11).
• Brute-force IP banning — Fail2Ban-style, in-process, persisted across restarts.
• Impossible-travel detection — MaxMind GeoLite2-based, fires via your notification channels.
• Per-user IP allowlist — pin high-value accounts to specific CIDRs.
• Step-up authentication on sensitive admin actions.
• Hardened self-service factor changes — proof-of-factor before adding/replacing any 2FA factor.
• Indefinite device trust (admin-gated opt-in).

Security internals

• TOTP secrets encrypted at rest with AES-GCM using a persistent 32-byte key.
• Cookie signatures use HMAC-SHA256 with a persistent key.
• Constant-time comparison for all secret material (CryptographicOperations.FixedTimeEquals).
• TOTP replay prevention (used time-steps tracked per user).
• Recovery codes marked used immediately on validation — stolen codes can't be retried.
• Atomic file writes for user data — a crash mid-write doesn't corrupt 2FA state.
• Generic error messages prevent account enumeration.
• Audit-log hash chain so silent tampering is detectable.
• SSRF egress guard on all outbound calls (OIDC fetches, webhooks, picture sync).

See Architecture for the threat model and middleware breakdown.

Native client support

• Device pairing — passwordless users approve native clients (Swiftfin, Findroid, Tizen, Android TV) from Setup.
• Quick Connect pass-through — a 2FA-verified user approving a Quick Connect code passes verification to the new device.
• Active sessions view — users see and sign out their own sessions.

Admin tools

See the full Admin Guide.

• Users / Trusted Devices / Pairings / Audit Log / IP Bans / Sign-in Methods tabs.
• 12-factor security score (raw 130 pts, normalized to 100).
• Auth-activity overview — stacked-area chart with 1w/1m/1y ranges.
• Encrypted configuration export/import — AES-256-GCM, PBKDF2-SHA256 (600k iter) envelopes.
• Audit-chain rebuild, bulk user actions, per-user GDPR export, diagnostics checklist.
• Webhook events + ntfy / Gotify push notifications.

Internationalization

8 first-class languages at full key parity — en, de, es, fr, it, ja, pt, zh — with a native-name picker, per-user preference, server-wide default, and ?lang= override.

---

For per-version highlights see Releases. For the deep dive on internals, see Architecture.