[Enhancement]: 2FA with OTP and/or Passkeys #2884

New Issue

Closed

opened 2026-04-25 00:11:34 +02:00 by adam · 14 comments

adam commented 2026-04-25 00:11:34 +02:00

Owner

Copy Link

Copy Source

Originally created by @alexanderkuenzel on GitHub (Jul 13, 2025).

Type of Enhancement

Server Backend

Describe the Feature/Enhancement

More Security for the Accounts by adding option to activate 2FA via OTP. And may also add option to use Passkeys.

Why would this be helpful?

More security for user accounts.

Future Implementation (Screenshot)

Options to activate the functions on profile page.

Audiobookshelf Server Version

2.26.0

Current Implementation (Screenshot)

No response

Originally created by @alexanderkuenzel on GitHub (Jul 13, 2025). ### Type of Enhancement Server Backend ### Describe the Feature/Enhancement More Security for the Accounts by adding option to activate 2FA via OTP. And may also add option to use Passkeys. ### Why would this be helpful? More security for user accounts. ### Future Implementation (Screenshot) Options to activate the functions on profile page. ### Audiobookshelf Server Version 2.26.0 ### Current Implementation (Screenshot) _No response_

adam added the enhancement label 2026-04-25 00:11:34 +02:00

adam closed this issue 2026-04-25 00:11:35 +02:00

adam commented 2026-04-25 00:11:35 +02:00

Author

Owner

Copy Link

Copy Source

@vehagn commented on GitHub (Jul 13, 2025):

@alexanderkuenzel Using OpenID Connect Authentication and disabling Password Authentication can grant you 2FA via OTP given that the OIDC Provider supports it.

I can recommend trying out Keycloak, Authelia or Kanidm for this.

@vehagn commented on GitHub (Jul 13, 2025): @alexanderkuenzel Using _OpenID Connect Authentication_ and disabling _Password Authentication_ can grant you 2FA via OTP given that the OIDC Provider supports it. I can recommend trying out [Keycloak](https://www.keycloak.org/), [Authelia](https://www.authelia.com/) or [Kanidm](https://kanidm.com/) for this.

adam commented 2026-04-25 00:11:35 +02:00

Author

Owner

Copy Link

Copy Source

@alexanderkuenzel commented on GitHub (Jul 13, 2025):

Ok, thats one option. But i thing simple native OTP would be more comfortable because you don‘t need to create account on another service first.

@alexanderkuenzel commented on GitHub (Jul 13, 2025): Ok, thats one option. But i thing simple native OTP would be more comfortable because you don‘t need to create account on another service first.

adam commented 2026-04-25 00:11:35 +02:00

Author

Owner

Copy Link

Copy Source

@Vito0912 commented on GitHub (Jul 13, 2025):

I am currently working on adding 2FA (TOTP and email - maybe passkeys, but I am not very familiar with them and it depends on how easy they are to set up) for another project, so I might look at this for ABS after I finish if @advplyr is generally okay with adding 2FA to ABS.

@Vito0912 commented on GitHub (Jul 13, 2025): I am currently working on adding 2FA (TOTP and email - maybe passkeys, but I am not very familiar with them and it depends on how easy they are to set up) for another project, so I might look at this for ABS after I finish if @advplyr is generally okay with adding 2FA to ABS.

adam commented 2026-04-25 00:11:35 +02:00

Author

Owner

Copy Link

Copy Source

@advplyr commented on GitHub (Jul 13, 2025):

I don't think we should because this was the big reason for adding OIDC. Users can set up whatever auth method they want through OIDC.
This allows us to not have to manage all the different auth methods that come with overhead and careful security considerations. It is a full time effort maintaining highly configurable authentication and software like Authentik does this well already.

@advplyr commented on GitHub (Jul 13, 2025): I don't think we should because this was the big reason for adding OIDC. Users can set up whatever auth method they want through OIDC. This allows us to not have to manage all the different auth methods that come with overhead and careful security considerations. It is a full time effort maintaining highly configurable authentication and software like Authentik does this well already.

adam commented 2026-04-25 00:11:36 +02:00

Author

Owner

Copy Link

Copy Source

@Vito0912 commented on GitHub (Jul 13, 2025):

Pretty neutral in regards if this should get added, but some considerations why this is being added in the other project I am currently worked on (/wished for):

Pro:

1. Way steeper learning curve just to get basic security implemented (depending on used provider)
2. More to maintain for the admin. Users now need to be edited in two places. Also more resource consumption.
3. All users would be forced to switch (or even worse you would have a mix of local and oidc users)
4. Deployment on sharing hosted/container hosts has no option to host an OIDC provider

Cons:

1. Work that needs to be made in the codebase
2. 2FA can be somewhat easily be done via OIDC providers and at the level where 2FA is considered most admins have the knowledge to setup an OIDC
3. And probably more I forgot

@Vito0912 commented on GitHub (Jul 13, 2025): Pretty neutral in regards if this should get added, but some considerations why this is being added in the other project I am currently worked on (/wished for): Pro: 1. Way steeper learning curve just to get basic security implemented (depending on used provider) 2. More to maintain for the admin. Users now need to be edited in two places. Also more resource consumption. 3. All users would be forced to switch (or even worse you would have a mix of local and oidc users) 4. Deployment on sharing hosted/container hosts has no option to host an OIDC provider Cons: 1. Work that needs to be made in the codebase 2. 2FA can be somewhat easily be done via OIDC providers and at the level where 2FA is considered most admins have the knowledge to setup an OIDC 3. And probably more I forgot

adam commented 2026-04-25 00:11:36 +02:00

Author

Owner

Copy Link

Copy Source

@advplyr commented on GitHub (Jul 13, 2025):

Using an identity provider like Authentik is more secure because they are singularly focused on authentication. The user has to run it separately and learn how to set it up which is a valid pro argument but I don't think it outweighs the cons.

For notifications we use apprise for the same reason. There are dozens of ways that users want to configure notifications. Supporting apprise in Abs instead of trying to handle SMS, push notifications, Discord, etc. is much better in my opinion. I think we will add support for email notifications since we already have email configuration but I don't think we should build in SMS support.

@advplyr commented on GitHub (Jul 13, 2025): Using an identity provider like Authentik is more secure because they are singularly focused on authentication. The user has to run it separately and learn how to set it up which is a valid pro argument but I don't think it outweighs the cons. For notifications we use apprise for the same reason. There are dozens of ways that users want to configure notifications. Supporting apprise in Abs instead of trying to handle SMS, push notifications, Discord, etc. is much better in my opinion. I think we will add support for email notifications since we already have email configuration but I don't think we should build in SMS support.

adam commented 2026-04-25 00:11:36 +02:00

Author

Owner

Copy Link

Copy Source

@vehagn commented on GitHub (Jul 13, 2025):

This might be irrelevant, but I just finished an article on how to configure Authelia (which has support for MFA) as an OIDC provider for Abs: https://blog.stonegarden.dev/articles/2025/07/custom-oidc-claims/. All in all I think Abs has a rather mature OIDC implementation.

@vehagn commented on GitHub (Jul 13, 2025): This might be irrelevant, but I just finished an article on how to configure Authelia (which has support for MFA) as an OIDC provider for Abs: https://blog.stonegarden.dev/articles/2025/07/custom-oidc-claims/. All in all I think Abs has a rather mature OIDC implementation.

adam commented 2026-04-25 00:11:36 +02:00

Author

Owner

Copy Link

Copy Source

@dedors commented on GitHub (Jul 14, 2025):

Just wanted to share my thoughts as a hobbyist running a home lab. I have never heard of OIDC before, and even after going through the (abs) guide, I'm honestly lost on how to get started. It seems like I'd need another service or container, but the top results I find on Google seems to be outdated by a few years.

I get what this is trying to achieve and the benefits are clear, but it feels overly complicated for my needs. It would be a whole project just to test it and switch everything over.

Currently, I use two-factor authentication (2FA) via an authenticator app for services exposed to the internet, such as Nextcloud, Home Assistant, and Vaultwarden, and I was able to set them up directly. A solution that does not require advanced configuration would be more preferable.

@dedors commented on GitHub (Jul 14, 2025): Just wanted to share my thoughts as a hobbyist running a home lab. I have never heard of OIDC before, and even after going through the (abs) guide, I'm honestly lost on how to get started. It seems like I'd need another service or container, but the top results I find on Google seems to be outdated by a few years. I get what this is trying to achieve and the benefits are clear, but it feels overly complicated for my needs. It would be a whole project just to test it and switch everything over. Currently, I use two-factor authentication (2FA) via an authenticator app for services exposed to the internet, such as Nextcloud, Home Assistant, and Vaultwarden, and I was able to set them up directly. A solution that does not require advanced configuration would be more preferable.

adam commented 2026-04-25 00:11:36 +02:00

Author

Owner

Copy Link

Copy Source

@nichwall commented on GitHub (Jul 14, 2025):

I agree with advplyr that the point of implementing OIDC (which is a standard) is so users can use software dedicated for authentication, such as Authentik, Authelia, or Keycloak.

Because OIDC is a standard that can be built to, you can then use the same authentication system for multiple projects and only need to manage one set of authorization keys for users across multiple services (assuming your other services also supports OIDC, not everything does).

If you want to use MFA or additional security, I think it is worth the time to learn how to set up the dedicated authentication infrastructure so you can make use of it for multiple projects rather than relying on every project to implement MFA.

@nichwall commented on GitHub (Jul 14, 2025): I agree with advplyr that the point of implementing OIDC (which is a standard) is so users can use software dedicated for authentication, such as Authentik, Authelia, or Keycloak. Because OIDC is a standard that can be built to, you can then use the same authentication system for multiple projects and only need to manage one set of authorization keys for users across multiple services (assuming your other services also supports OIDC, not everything does). If you want to use MFA or additional security, I think it is worth the time to learn how to set up the dedicated authentication infrastructure so you can make use of it for multiple projects rather than relying on every project to implement MFA.

adam commented 2026-04-25 00:11:36 +02:00

Author

Owner

Copy Link

Copy Source

@TheTerrasque commented on GitHub (Jul 14, 2025):

Just wanted to share my thoughts as a hobbyist running a home lab. I have never heard of OIDC before, and even after going through the (abs) guide, I'm honestly lost on how to get started. It seems like I'd need another service or container, but the top results I find on Google seems to be outdated by a few years.

I get what this is trying to achieve and the benefits are clear, but it feels overly complicated for my needs. It would be a whole project just to test it and switch everything over.

Currently, I use two-factor authentication (2FA) via an authenticator app for services exposed to the internet, such as Nextcloud, Home Assistant, and Vaultwarden, and I was able to set them up directly. A solution that does not require advanced configuration would be more preferable.

I would recommend starting with setting up authentik and go from there. I found it pretty easy to set up, and it also has guides on how to set up many different clients.

Regarding the topic itself, I feel advanced security is best served with a dedicated project like authentik, authelia, keycloak and similar.

@TheTerrasque commented on GitHub (Jul 14, 2025): > Just wanted to share my thoughts as a hobbyist running a home lab. I have never heard of OIDC before, and even after going through the (abs) guide, I'm honestly lost on how to get started. It seems like I'd need another service or container, but the top results I find on Google seems to be outdated by a few years. > > I get what this is trying to achieve and the benefits are clear, but it feels overly complicated for my needs. It would be a whole project just to test it and switch everything over. > > Currently, I use two-factor authentication (2FA) via an authenticator app for services exposed to the internet, such as Nextcloud, Home Assistant, and Vaultwarden, and I was able to set them up directly. A solution that does not require advanced configuration would be more preferable. I would recommend starting with setting up authentik and go from there. I found it pretty easy to set up, and it also has [guides](https://integrations.goauthentik.io/) on how to set up many different clients. Regarding the topic itself, I feel advanced security is best served with a dedicated project like authentik, authelia, keycloak and similar.

adam commented 2026-04-25 00:11:36 +02:00

Author

Owner

Copy Link

Copy Source

@vehagn commented on GitHub (Jul 14, 2025):

It should also be possible to configure a third-party IdP like e.g. a Google OAuth Client, though I haven't looked into it I think this is where to start: https://support.google.com/cloud/answer/15549257

@vehagn commented on GitHub (Jul 14, 2025): It should also be possible to configure a third-party IdP like e.g. a Google OAuth Client, though I haven't looked into it I think this is where to start: https://support.google.com/cloud/answer/15549257

adam commented 2026-04-25 00:11:36 +02:00

Author

Owner

Copy Link

Copy Source

@advplyr commented on GitHub (Jul 14, 2025):

I can see the argument for rolling our own 2FA but not something we're going to do in the foreseeable future. I appreciate everyone's input on this

@advplyr commented on GitHub (Jul 14, 2025): I can see the argument for rolling our own 2FA but not something we're going to do in the foreseeable future. I appreciate everyone's input on this

adam commented 2026-04-25 00:11:36 +02:00

Author

Owner

Copy Link

Copy Source

@Meharis108 commented on GitHub (Dec 8, 2025):

I just got familiar with OICD and it works like a charm. That said, it was a steep learning curve with Authentik.

Now i want to expose the Host via reverse proxy, for that i want to disable password authentication.
When i do so, is there any way should Authentik Fail or my OICD Adminuser gets broken, to enable password authentication again from database or shell or so to login with root? I just always like to have a fallback plan if something breaks.

Thanks for all the Work

@Meharis108 commented on GitHub (Dec 8, 2025): I just got familiar with OICD and it works like a charm. That said, it was a steep learning curve with Authentik. Now i want to expose the Host via reverse proxy, for that i want to disable password authentication. When i do so, is there any way should Authentik Fail or my OICD Adminuser gets broken, to enable password authentication again from database or shell or so to login with root? I just always like to have a fallback plan if something breaks. Thanks for all the Work

adam commented 2026-04-25 00:11:36 +02:00

Author

Owner

Copy Link

Copy Source

@tiodonas commented on GitHub (Feb 12, 2026):

I can see the argument for rolling our own 2FA but not something we're going to do in the foreseeable future. I appreciate everyone's input on this

I wholeheartedly disagree. It's already hard enough to get people to move to self hosted options. Asking users to go through a steep learning curve just to enable 2FA is an unreasonable ask and unnecessary friction point. Most users already have some sort of OTP app. It's the lowest common denominator and should be a standard baseline to target.

@tiodonas commented on GitHub (Feb 12, 2026): > I can see the argument for rolling our own 2FA but not something we're going to do in the foreseeable future. I appreciate everyone's input on this I wholeheartedly disagree. It's already hard enough to get people to move to self hosted options. Asking users to go through a steep learning curve just to enable 2FA is an unreasonable ask and unnecessary friction point. Most users already have some sort of OTP app. It's the lowest common denominator and should be a standard baseline to target.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

master

book_tags_genres_dedupe

episode_download_fallback

Issue-4540-SortBy-StartedDate-and-FinishedDate

episode_meta_tagging

fix_authorize_race_condition

redirect_transcode_requests

progress_updated_sort

fix_ereader_socket_event

fix_change_empty_root_password

fix_podcast_session_track_index

fix_set_token

session_modal_user

localize_durations

fix_oidc_create_user

jwt_auth_refactor

fix_scanner_deleting_single_file_books

fix_mediaprogress_updatedat_2

experimental_next_client

podcast_episode_duration

episode-timestamps-clickable

book_author_secondary_sort_title

podcast_useragents

pathexists_user_access

fix_pathexists_join

book_author_secondary_sort

clean_duplicate_mediaprogress

sanitize_html_description

trix_prevent_attachments

check_path_api_fix

fix_mediaprogress_updatedat

increase_express_json_limit

fix_dockerfile_nunicode

search_episodes

audiobook_tools_update

episode_secondary_sorts

hls_stream_url_update

new_session_track_endpoint

audiobook_tools_enhancements

watcher_rescans_update

player_track_tooltip

fix_exclude_prefixes_crash

socket_item_events

fix_podcast_episode_scanner_promise

new_stats_controller

count_cache_for_userpermissions

parsing-opf-v3

validate_migration_files

fix-quick-match-all-crash

fix-chapter-end-sleep-timer

stringify_sequelize_query

remove-col-ambiguity

fix_next_prev_edit_description

details_trim_whitespace

fix_content_url_basepath

fix_logger_fatal

progress_bar_visibility

batch-edit-populate-map-details

feed_generator_updates

bookmark-modal-updates

migrate-library-item-in-scanner

migrate-new-library-items

migrate-podcasts-new-library-item-2

migrate-podcasts-new-library-item

fix-remove-episode-from-playlist

playback-session-use-new-library-item

refactor-library-item

fix-heatmap-caption

feed-episodes-upsert

share-media-player-media-session-api

remove-old-playlist

remove_old_collection_object

plugin-implementation-demo

feed_migration

refactor-feeds-from-item

fix_remove_authors_no_books

v2.17.3-fk-constraints-migration

migrations-first-upgrade

sqlite_2

feature/nuxt-target-server

waveform

sqlite

playlists

video

v2.35.1

v2.35.0

v2.34.0

v2.33.2

v2.33.1

v2.33.0

v2.32.1

v2.32.0

v2.31.0

v2.30.0

v2.29.0

v2.28.0

v2.27.0

v2.26.3

v2.26.2

v2.26.1

v2.26.0

v2.25.1

v2.25.0

v2.24.0

v2.23.0

v2.22.0

v2.21.0

v2.20.0

v2.19.5

v2.19.4

v2.19.3

v2.19.2

v2.19.1

v2.19.0

v2.18.1

v2.18.0

v2.17.7

v2.17.6

v2.17.5

v2.17.4

v2.17.3

v2.17.2

v2.17.1

v2.17.0

v2.16.2

v2.16.1

v2.16.0

v2.15.1

v2.15.0

v2.14.0

v2.13.4

v2.13.3

v2.13.2

v2.13.1

v2.13.0

v2.12.3

v2.12.2

v2.12.1

v2.12.0

v2.11.0

v2.10.1

v2.10.0

v2.9.0

v2.8.1

v2.8.0

v2.7.2

v2.7.1

v2.7.0

v2.6.0

v2.5.0

v2.4.4

v2.4.3

v2.4.2

v2.4.1

v2.4.0

v2.3.5

v2.3.4

v2.3.3

v2.3.2

v2.3.1

v2.3.0

v2.2.23

v2.2.22

v2.2.21

v2.2.20

v2.2.19

v2.2.18

v2.2.17

v2.2.16

v2.2.15

v2.2.14

v2.2.13

v2.2.12

v2.2.11

v2.2.10

v2.2.9

v2.2.8

v2.2.7

v2.2.6

v2.2.5

v2.2.4

v2.2.3

v2.2.2

v2.2.1

v2.2.0

v2.1.5

v2.1.4

v2.1.3

v2.1.2

v2.1.1

v2.1.0

v2.0.24

v2.0.23

v2.0.22

v2.0.21

v2.0.20

v2.0.19

v2.0.18

v2.0.17

v2.0.16

v2.0.15

v2.0.14

v2.0.13

v2.0.12

v2.0.11

v2.0.10

v2.0.9

v2.0.8

v2.0.7

v2.0.6

v2.0.5

v2.0.4

v2.0.3

v2.0.2

v2.0.1

v1.7.2

v1.7.1

v1.7.0

v1.6.0

v1.5.5

v1.5.0

v1.4.11

v1.4.9

v1.4.7

v1.4.6

v1.4.4

v1.4.2

v1.4.0

v1.4.1

v1.3.4

v1.3.3

v1.3.1

v1.2.8

v1.2.6

v1.2.5

v1.2.4

v1.2.1

v1.1.15

v1.1.14

v1.1.13

v1.1.12

v1.1.11

v1.1.10

v1.1.9

v1.1.8

v1.0.0

0.9.61-beta.0

0.9.61-beta

Labels

Clear labels

authentication

backlog

bug

chapter editor

config-issue

ebooks

encoding/embedding

enhancement

help wanted

listening sessions & progress

planned

possible plugin

progress sync

pull-request

Mirrored from GitHub Pull Request

sorting/filtering/searching

unable to reproduce

upload

users & permissions

waiting

No Label enhancement

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

adam (Adam Melkus)

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/audiobookshelf#2884