-
Notifications
You must be signed in to change notification settings - Fork 4
Installation
Requires Jellyfin 10.11+ (10.11.9 or newer recommended). The plugin depends on the auth-provider APIs introduced in 10.11. On 10.10.x or older it will not appear in the Catalogue — Jellyfin silently hides plugins whose
targetAbiis newer than the server. Check your version under Dashboard → About and upgrade if needed.
- Open Jellyfin → Dashboard → Plugins → Repositories.
- Click + and add this URL:
https://raw.githubusercontent.com/ZL154/JellyfinSecurity/main/manifest.json - Save and refresh plugins.
- Go to the Catalogue tab → install Jellyfin Security.
- Restart Jellyfin.
Upgrades are in-place — every persisted record (TOTP, passkeys, OIDC links, trusted browsers, paired devices, audit history) carries over.
# Windows
.\build.ps1 -Install# Linux/macOS
chmod +x build.sh && ./build.sh --installbuild.sh is a fat-package builder: managed assemblies are published once without a RID, then per-RID native libs (linux-x64, linux-arm64, linux-musl-x64) are bundled into runtimes/<rid>/native/ with a copy at the plugin root. This is what makes recovery-code PDF generation work on Raspberry Pi, Apple-Silicon Linux, and Alpine.
Copy these files into the plugin directory:
TwoFactorAuth/
├── meta.json
├── Jellyfin.Plugin.TwoFactorAuth.dll
├── Otp.NET.dll
└── QRCoder.dll
If you use OIDC, email OTP, passkeys, or PDF recovery codes, prefer the catalogue install or the fat build — those features pull in additional bundled dependencies (IdentityModel, Fido2NetLib, MaxMind.Db, QuestPDF + native libs) that the 4-file manual copy does not include.
Plugin directory by OS:
| Platform | Path |
|---|---|
| Docker | /config/plugins/TwoFactorAuth/ |
| Linux | ~/.local/share/jellyfin/plugins/TwoFactorAuth/ |
| Windows | %LOCALAPPDATA%\jellyfin\plugins\TwoFactorAuth\ |
Restart Jellyfin after copying.
Every release ships .md5 and .sha256 files alongside the .zip so you can confirm the artifact wasn't tampered with after upload. Releases are also Sigstore-signed with SLSA build-provenance attestation. See Releases.
- First-Time Setup — enable the plugin and enroll your first user.
- OIDC / SSO — add Google/Authentik/Keycloak/etc. sign-in.
Getting started
Features
Reference
Help