[2FA/TOTP] Direct support for 2FA/TOTP.

[englut]

The feature

I see that OAuth is supported now and I understand previous feature requests were closed because that's one way of achieving this. But I'd argue that having to set up a separate service, and relying on that instead isn't exactly what this feature is.

It would be great if we could get proper 2FA / TOTP support in Immich directly without needing to jump to a different service (selfhosted or otherwise).

Platform

• Server
• Web
• Mobile

[schuhbacca]

Immich intentionally keeps auth simple and delegates to dedicated solution. That's a design choice that is unlikely to change.

[Allexio]

And how would that design choice be questioned?

Are you saying that if someone made a pull request to implement it you would deny that simply because it doesn't adhere to your design vision?

I feel like for something like photo hosting, which contains extremely sensitive information, the lack of integrated 2FA support is quite jarring...

And it's not like there is a lack of open source support for 2FA from other FOSS apps (ex. Bookstack).

I don't see how forcing users to use an extra service is a good idea, and in fact it makes it more dangerous because most users will probably not go through that extra hoop and you are indirectly putting their data in danger of being compromised.

[torik988]

i agree with @qauff i think the need to use an external service, isn't a good idea. for example, i decided to not use 2fa in my install, because it was an other step in the setup. pleast add TOTP

[nesalkiN]

Very surprised there is no native TOTP-support. Started to set up Authelia (and looked at Authentik) but gave up. Spinning up several new containers, edit config files and trying to learn all about this new topic proved too much for me. I see people asking all the time about 2FA/TOTP-support. I really hope this would be reconsidered.

[brechsteiner]

@Finkregh Interesting, I have not found anything in the documentation, can you show me where this function is described?

[englut]

@brechsteiner it looks like it's something like this: https://fardog.io/blog/2017/12/30/client-side-certificate-authentication-with-nginx/.

I'm unsure how this will play with the mobile app.

[Finkregh]

@Finkregh Interesting, I have not found anything in the documentation, can you show me where this function is described?

In the mobile app settings in "Sonstiges" in german - bottom entry - you can choose a client ssl certificate.

Also: https://git.h.oluflorenzen.de/finkregh/scratchpad/wiki/mTLS-with-cfssl-generated-certificates

[englut]

In the mobile app settings in "Sonstiges" in german - bottom entry - you can choose a client ssl certificate.

Also: https://git.h.oluflorenzen.de/finkregh/scratchpad/wiki/mTLS-with-cfssl-generated-certificates

Oh neat! I will test this out myself. This is a much stronger 2FA. Maybe the Immich team should push this instead if they're not wanting TOTP 2FA implementations.

[englut]

Got it working! Typically I had my server behind cloudflare, but cloudflare doesn't pass through client certificates. Cloudflare also has their own client certificate mechanism, but it only works for APIs and IoT devices, blocks my browser requests. So now I'm stuck deciding between Cloudflare or Client Certificate auth 😞

No matter what, we're stuck with a compromise. We really need TOTP 2FA.

[zynexiz]

Would also want see an implementation of TOTP 2FA to add extra layer of security, specially on interface facing the open internet. Lot of open source apps I use have this, like NextCloud and Firefly III, and it's easy to enable without any additional running services. Doesn't seem to be that hard to implement either after what I researched earlier.

It's pretty crucial for security reasons. If someone manage to brute force the login, you are screwed. Having 2FA prevents malicious actor gaining access even thru brute forcing. I looked into OAuth, and although it's good, it require additional services and configurations to be set up for one service, which I would argue that many skip because of the added complexity.

[deanfourie1]

Come on, 2FA is a no-brainer. Nuff said.

[nesalkiN]

It's a very odd decision.

I chose Immich specifically to avoid dependency on external services. But if the alternative is setting up a new container, keeping it safe and updated, editing config files, configuring the reverse proxy (more file editing), adjusting DNS settings and learning an entirely new process just to have some form of TOTP/2FA exclusively for Immich, that’s just too much.

I really like Immich, and I’m very grateful to the developers, but for me, this is a hard pill to swallow.

[Murguth]

I do totally agree with you.

[brechsteiner]

@schuhbacca I know that it is a design decision that auth should be delegated to an IdP. But not all users are able to operate an IdP, especially if only for one app. That's why I'm asking you to add this feature request to the roadmap.

[englut]

I wouldn’t mind looking into implementing this feature myself. But I don’t want to have my PR auto rejected because it’s a design choice. I still strongly believe this is a necessary feature and don’t mind contributing.

[deanfourie1]

Just look at the amount of interest in this thread alone, how can this be ignored or prs rejected. So strange.

[bo0tzz]

This has been covered thoroughly in a handful of other places, but I'll rehash it here once more. Implementing a good authentication system is hard, and therefore easy to get wrong, while being exactly the sort of thing you do not want to get wrong. We decided a long time ago that the risk of getting it wrong is not worth it, because it is easy enough to support OAuth and delegate the hard parts to other people who know what they're doing and have all the auth stuff figured out. That's an application security decision that community interest doesn't have much bearing on.

There are many great OAuth providers out there, including options you don't have to manage yourself such as using something like Github as the OAuth provider. If you have the knowledge necessary to manage Immich, you can also figure out OAuth, and then you can rest easy knowing that the critical authentication layer is being handled by people who are fully focused getting it right.

[wobfan]

More moving parts = more things that can go wrong.

While that may be true, leaving such a complicated topic like OAuth configuration to the user - risking many of them improperly configuring it or avoiding OAuth altogether (as I did) - leads to worth overall security, imo.

TOTPs is not a complicated thing to implement, and is covered by a multitude of open source libraries. Why not implement that into Immich and leave more complicated OAuth configuration to advanced users. Or, e.g., add handling of an external SMTP server for 2FA emails. That would even be simpler to develop, and, while not the preferred option for 2FA in most cases, lowers the bar for simple 2FA a lot.

Using MFA and per-service passwords are the pillars of authentication. We should not leave this to the users to circumvent this by forcing them to provide a OAuth server themselves.

[bo0tzz]

We've drawn the line where it is now. Moving that for just one "simple" thing invites discussion to move it some more for another "small addition" etc, we're not going there. If you want TOTP, set up an IDP for OAuth. That's also not a complicated thing to implement ;)

[englut]

@bo0tzz can the dev team refer a simple one for users to setup at least? maybe there can be a docker-compose to easily set one up. This is the only self hosted app that I have that supports OAuth, so it'd be the only one I need it for. I do appreciate that immich allows for client certificates in the mobile app, so thanks for approving that PR!

[Allexio]

@bo0tzz can the dev team refer a simple one for users to setup at least?

I am not part of the dev team, but I can definitely recommend Authelia (not affilliated with Authelia either, just so we're clear).

Instructions are pretty clear on the wiki, and there are also multiple third party articles on how to set it up if you really need extra help.
I've always been able to get help on their discord when I had an issue (which was always because of a mistake I made).

Honestly I know I initially complained about Immich not supporting MFA directly, but now that I've implemented Authelia on my server I feel like it was something that was much needed, my server is more secure and my users only have one set of credentials.

It's just better for everyone involved.

Authelia setup guide: https://www.authelia.com/integration/prologue/get-started/
Immich Authelia integration guide: https://www.authelia.com/integration/openid-connect/immich/

[wobfan]

@bo0tzz can the dev team refer a simple one for users to setup at least?

I am not part of the dev team, but I can definitely recommend Authelia (not affilliated with Authelia either, just so we're clear).

Instructions are pretty clear on the wiki, and there are also multiple third party articles on how to set it up if you really need extra help. I've always been able to get help on their discord when I had an issue (which was always because of a mistake I made).

Honestly I know I initially complained about Immich not supporting MFA directly, but now that I've implemented Authelia on my server I feel like it was something that was much needed, my server is more secure and my users only have one set of credentials.

It's just better for everyone involved.

Authelia setup guide: https://www.authelia.com/integration/prologue/get-started/ Immich Authelia integration guide: https://www.authelia.com/integration/openid-connect/immich/

While I'm thankful for the references, and even searched for more detailed, simpler, guides, I cannot refrain from just urging the maintainers to at least consider to move the line in regards to auth a little further.
I am by no means an amateur, and even have worked with Keycloak some years ago in a production environment, but setting up Authelia without reading into it's extensive documentation from the start, probably digging into OAuth before, to know all the vocabulary (which is impossible), I'd say that no one can and should set up this auth environment, because the risk of an insecure setup is incredibly high.

One could now reply "yeah, but this is their responsibility", and would be right, but in my honest opinion, I think most of the amateur hobby users of Immich, who just want to ditch the big privacy-invading companies like Google and the other big cloud providers and want to store their data in their proximity or at least on their servers, won't be able or not be willing to go through this. And by this, we're "f, worcing" them to leave it to user password login, without any other factor. Which in the end just is, and will continue to be, an unsafe configuration, when your server should be available from outside of your local network. Sure, still, it's their decision.

To draw a line here: I am not a maintainer or contributor so I am not in the position to be mad at anyone here, and instead am incredibly grateful to anyone working or contributing to this beautiful, almost too good to be true open source project. Also, I respect the clear decisions of the maintainers, if they stay like they are. Still, I wanted to at least state my opinion here one last time. Sorry for the spam, and thanks for all the great work.

[dansity]

I have tried to setup Authentik but it went so over my head I don't even know what I was looking at. I'm not an IT guy. I'm also behind CGNAT and my only option is cloudflare tunnel which makes everything even more complicated with certificates.
pls add TOTP, thanks