Which app was the person using that you were linking them too. There is no need for a video.
1 Like
I think we understand: Immediately after authenticating (via the link mechanism), you are not prompted to enter a pin.
You feel that’s a change, and you feel that’s a security problem.
That’s the behavior I expect on most clients. I wonder if there are some clients that behave differently.
Edit: Yes, definitely different behavior between clients - and perhaps not “most”, except for what I have the most of. (-:
Apple TV: Straight to user
Roku: User-switching prompt
Plex HTPC: User-switching prompt
Plex.app for Mac: Straight to user (No /link mechanism)
iOS: Straight to user (No /link mechanism)
Plex Web: Straight to user (No /link mechanism)
I don’t have any Android/WebOS/Tizen devices in arm’s reach.
Even if every device shows the user-switching prompt, a single-factor, static, four-number PIN is not an account security mechanism. It’s intended to keep kids away from inappropriate content.
(And if they’re logged in on your account, you have the other problems you identified.)
I will contact the individual and get you the exact player version.
Apologies I should have posted this initially.
Will post it later when he gets back to me.
and I wonder if having the automatically sign-in setting turned on/off has an effect on it as well
2 Likes
If you are expecting to go here (image below). What I am saying is that for as long as I have worked here, since before Plex home was even a thing, it does not. It signs the user directly into their account which was reason for the note quoted above in the support doc.
I am not aware of any recent changes to display below instead but possible I was out of the loop on some relatively new change.
Just FYI regardless if a bug or not. I personally think it is probably safer to go to user picker anyway so I will bring it up with folks.
1 Like
At least on Roku, Automatically Sign In is reset (to off) when you Sign Out. So I don’t think that’s relevant.
I notice that Roku always displays the user-switching prompt, whether you’ve got a PIN configured on the primary account or not.
I ALSO notice that the PIN seems to be verified on the client, not the server or Plex cloud, so it’s REALLY not a security mechanism.
I agree. Even in the (“family”) use case, the user picker is the “right” UX flow.
My concern is that the picker seems to reinforce the idea of PIN-as-security, which does come up frequently. And the PIN ain’t security.
The current “Link” screen is nice and simple, but maybe it’s the best place to put more information? Nobody should ever share passwords or link codes with others.
it does list the account but I’m not against a more informational warning if we don’t change behavior.
I did some short tests and Android TV, Apple TV sign directly into account. Smart TV based apps ( including PS, XBOX, PlexHTPC) go to picker. Roku is a bit weird because it has to follow some IMO odd rules Roku requires but it also seems to go to user picker.
So in any case some parity is likely needed here either way.
@machinegunkenny thank you for bringing it to our attention.
2 Likes
This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.
