Server Version#: 1.19.5.3112 (docker)
Player Version#: 8.5.2.20133 (dfd59213) (Android 10 - Samsung S20 Ultra)
Previously reported without reply (by another user) on Plex doesn't ask pin code of admin user on first connect on android phones - it looks like when first signing into the Android player the user is automatically logged in as the main/Admin user. This means that users have access to content that they should be restricted access to, and could potentially remove content from the underlying file system or do other things they wouldn’t have rights to do if they were asked for the pass code first.
I’ve replicated this on two different devices on the same server. Happy to update the server to 1.20 if it would help diagnosis, but feels like there’s just a small bug in that initial sign-in.
The pin isn’t what protects access to the account, that’s what a password does. Pins don’t add security on top of passwords.
It’s the opposite. The pin is a way to reduce security, in exchange for convenience.
In a home, pins allow users to stay logged in, giving minimal protection when fast-user-switching between users.
It’s less secure than logging out, but it’s much more convenient. You should trust your “home” before you use this feature.
If you have managed users, don’t share the admin password with them. When you log in to a device for a managed user, change to their managed user before you step away.
I very much do NOT want to be prompted for my pin immediately after entering my password. It is unnecessary, not needed, redundant, and it gives the wrong impression that the pin is improving security.
I appreciate your thought on this, but the issue is that the first sign-in is the only time that this flow happens. If you force-close the app and re-open it, you’re prompted to chose user, and enter pin if that user has one.
Let’s remove the security and pin element completely. Even without a pin set, when you sign into a new device it will assume you’re the main user. All the major streaming sites that have multi-user support ask you “hey, who are you” when you sign in the first time on the device. I don’t specifically want to be prompted for the pin, I want to be prompted for which user I am, and if I have a pin then ask me for it to.
More specifically, other Plex players ask you which user you are too. The LG TV app asks which user, as does the web player when connecting via plex.tv. So I think the inconvenient behaviour that you don’t like is actually the Plex default, it just doesn’t apply to Android for some reason.
My first response was admittedly focused on the security aspect. I stand by that part: don’t share your password with managed users; don’t think of the PIN as increased security; and don’t share your Plex home with adversaries.
After reading your second message I wonder if I’m just being contrary to be contrary. I agree that it isn’t consistent today. For “big screen” apps I agree it should prompt to choose a user. For “personal” apps (and the admin page) I hope it doesn’t, but consistency is a very strong argument.
Amazon recently added multi-user support, and now they make me choose myself every time I open the app. For an account with only one user. Grr. Maybe I’m just triggered.
Plex.app for Mac doesn’t prompt you to choose a user after first signing in. It does prompt when you leave and re-launch the app.
Plex Media Player (2, and 3 preview): In TV layout mode, they prompt to choose a user after signing in. In non-TV mode, they don’t prompt you to choose a user the first time.
I agree that it isn’t consistent today. For “big screen” apps I agree it should prompt to choose a user. For “personal” apps (and the admin page) I hope it doesn’t, but consistency is a very strong argument.