I realized the “Forgot Password” reset email works even if you never set a password in Plex and just relied on Apple (and I assume the same goes for Google/Facebook). This bypasses any security you may have on your Apple/Google/Facebook account.
I.e.
- Create an account using Sign in with Apple
- You never create a password in Plex and you can’t add MFA to Plex
- An attacker who has your email can follow the password reset procedure. If the reset email is intercepted, the attacker can get into your Plex account regardless of the MFA and other security protections on your Apple account.
I’d have assumed that since I don’t have a password it can’t be reset. I can see an account recovery/convenience argument being made for things being the way they are. But, if things stay the way they are, folks should know they’re probably more secure adding a strong password and MFA rather than no password and signing in with another service.
