Hi,
I’m agree, a more longer Pin code or a notification that’s allow to enter in your personal account and validate it’s essential. Please make it
1 Like
Hello
This is also something I’d like to see. My biggest concern is not mischievous kids - but non-tech saavy elderly.
I have elderly home users who don’t always practice the best account security - and write down usernames and passwords on sticky notes and scrap paper, then store it somewhere. Yes, bad. I know. But most folks of that age don’t quite care or grasp the concerns.
So - the risk for me is grandma’s hand written plex account memo falls out of her notebook at a supermarket, and suddenly a stranger has access to her credentials and my plex home - with only a 4 digit pin away from full server control.
Yes - I could add 2FA to grandma’s account (thanks for finally adding this!! :D) but grandma is already overhwelmed with just a username and pwd, and so I don’t expect her to embrace 2FA.
And yes, you could also say “make grandma a managed user” - but then I always need to be around to put in my own login creds - or pass my login creds to grandma for them to also wind up on a sticky note. I do not want to share my login info, nor do I want to always need to be physically present to log them in (frequent traveler).
And while making grandma just a “friend”, and not part of the Home, is an option - that also means Grandma loses the benefits from my Plex Pass. Not ideal. I won’t ask my users to all purchase plex passes to fill the gap on a security feature. Also, grandma likes to watch with the kids so quick switching to other, non admin, home users is useful.
This is just a somewhat silly example, but the risk is there. Home owners need a slightly stronger way to prevent switching to the admin account. Current options are many, but I wouldn’t say that either one completely fills the need.
Strengthening the pin options, or simply providing an optional “don’t allow home users to switch to the admin account” setting - I think would go a long way to providing extra security for edge cases like these.
Thank you for considering this.
1 Like
This is exactly the kind of thing I came to the forums to suggest. The existing method for punching in your pin on screen is so insecure it might as well not be used. Anyone in the room with you as you input your code on the tv via a remote would now know your pin.
It would be so much better if it acted like the different 2FA apps out there (Microsoft Authenticator, Okta, Google Authenticator, etc) where it sent the person trying to login a push notification to their phone/watch/tablet/etc to verify it was them trying to login at the shared screen.
It’s been a long time and there’s no sign of doing it
I also vote for this, I believe a 4 digit PIN is too short, 6 or 7 digits, plus also allow for alphanumeric combinations would be a lot more secure, I would love to see something like this, any ideas if something like this has been planned?
Please, Plex team, this is one small addition which could have gone through any time. Its like adding 2 or 3 line of code, not more than that. At least you can take care of this kind of requests that will leave little things on your plate.
It’s hard to believe the team who developed complete system, Plex dash, Plex amp cant add this in the span of one day. Either tell us what’s the blocker in this, or please do it!
I am on same train mate, any alternatives you have found? Dealing with curiosity filled teenagers
Is it on roadmap yet?
bumping
bump
I know this does not have that many votes but the option for a 6-digit PIN is a must… There are multiple cases where a 4-digit PIN is not secure enough…
1 Like
Currently any Home user can hijack themselves into the full server administration (via Web) by simply brute-forcing their way through the 4 digit pin “security”, that lacks proper mitigation.
Sometimes it’s as easy as looking at the TV: Hide PIN entry so not everybody in the room can see it // mod: enter pin via remote’s keypad
Anyone can simply guess the four digits, start at 0000 and try it for a few minutes every evening OR take the very simple approach in doing it via the web (e.g. a browser extension that fills out the form and presses enter for you or a very simple loop of http request [Try one out, Firefox Network Tab → Save to cURL → Replace PIN in a simple loop]).
Additionally the option to use a more secure PIN (e.g. Security on Login (Alphanumeric Pin, 6 digit Pin)) would be great as well.
Potential Solutions:
- Require the account password for any action that goes beyond watching content (accessing server/account settings)
- Notifications (E-Mail/Mobile Push) on every login that was done using the PIN
- Make it possible to have more secure PINs
I don’t use the same user for watching and administration. I created an additional user for myself when watching. That mostly addresses the admin part of the TV pin-entry shoulder surfing scenario for me.
Unless you’ve added networks to “… allowed without auth”, any web administration should require username/password.
If I sound dismissive I don’t mean to be. I think I’m missing a portion of your concern.
Considering the OP has already linked other suggestions that could help his use case.
Assuming he/she wants to stick with the 1 suggestion per post, no duplicates rule, I suppose this is about helping prevent some brute-force attempts to guess the admin pin
I’m still missing something … bear with me, please.
The requests for better big-screen PIN-entry security make sense to me. And I agree with you - I think those other suggestions are well-formed.
What I’m not following is how guessing an admin PIN allows escalation to web-based server administration. That requires full username/password authentication.
This is probably about a Plex Home setup with managed users. So they’re already signed in and can switch users requiring only the PIN.
Again… just my interpretation – maybe the OP can confirm.
I guess there’s some curious “digital native” kid or rogue teenager trying to access some of the stuff he/she’s not supposed to see – driving their parents mad 
Seriously. When they’re motivated, it’s all over. My 2 year old was successful at watching me type PINs on my phone, and soon after, passwords on a full keyboard.
I think those other suggestions already address the “PINs are guessable on TV” issue.
I read this again, and I still interpret it to be a concern that a guessed PIN will allow web-based administration.
OP can you reframe the scenario, help me understand?
1 Like
