this post was submitted on 20 Aug 2023
18 points (100.0% liked)
Jellyfin: The Free Software Media System
5837 readers
36 users here now
Current stable release: 10.10.3
Matrix (General Information & Help)
Matrix (Off-Topic) - Come get to know the team and blow off steam!
Matrix Space - List of all the available rooms on Matrix.
Discord - Bridged to our Matrix rooms
founded 4 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
This is a crosspost of a post in a self-hosted community that isn't mine. You'll either have to at-mention OP to get their attention here, or comment in the other post they made.
But I can cover this particular question as well. The "trick" duo uses, is that is sends the 2fa request out of band to the duo app. So the flow goes like this:
So the trick with DUO, unlike say TOTP codes... is that the app is none the wiser that 2fa is happening. It thinks it just sent a regular username and password to the slowest damn Jellyfin server in the world that takes 30s to decide if the login is good. But as long as it doesn't timeout the login, the 2fa happens completely transparently to Jellyfin and the app... with the verification happening in a separate app and being a manger by the LDAP server, DUO servers, and DUO app.
So yeah, apps should work as long as they can handle very slow logins.
Thank you for the explanation. Before Authelia I used Cloudflare ZeroTrust email-autentification, but switched, because I wanted full self hosting. Relying on DUO instead would bring me back to that dependant situation. In other words, I'll probably stick with my Authelia solution for now