[2FA/TOTP] Direct support for 2FA/TOTP.

[englut]

The feature

I see that OAuth is supported now and I understand previous feature requests were closed because that's one way of achieving this. But I'd argue that having to set up a separate service, and relying on that instead isn't exactly what this feature is.

It would be great if we could get proper 2FA / TOTP support in Immich directly without needing to jump to a different service (selfhosted or otherwise).

Platform

• Server
• Web
• Mobile

[schuhbacca]

Immich intentionally keeps auth simple and delegates to dedicated solution. That's a design choice that is unlikely to change.

[Allexio]

And how would that design choice be questioned?

Are you saying that if someone made a pull request to implement it you would deny that simply because it doesn't adhere to your design vision?

I feel like for something like photo hosting, which contains extremely sensitive information, the lack of integrated 2FA support is quite jarring...

And it's not like there is a lack of open source support for 2FA from other FOSS apps (ex. Bookstack).

I don't see how forcing users to use an extra service is a good idea, and in fact it makes it more dangerous because most users will probably not go through that extra hoop and you are indirectly putting their data in danger of being compromised.

[Mr-Boshi]

The problem with this approach is in the restrictions it would impose on using mobile apps and its functions. Having a middleware like authelia or authentik will probably brake the apps ability to connect to the server. And even if I will be able to manually login through the SSO, the token will eventually expire and If I miss that the app turns into a brick.

Having the feature of TOTP does not brake the simplicity of auth if it is not also made mandatory. It is just an extra feature that helps ones that need it.

[AbelLykens]

will probably brake the apps ability to connect to the server

It will not :) -- oauth works 100% fine with apps

[Mr-Boshi]

It will not :) -- oauth works 100% fine with apps

You are right! I did not realize that there is out-of-the-box support of OAuth, the option to turn off logging with password AND a manual for authentik integration. This is just perfect.

[torik988]

i agree with @qauff i think the need to use an external service, isn't a good idea. for example, i decided to not use 2fa in my install, because it was an other step in the setup. pleast add TOTP

[nesalkiN]

Very surprised there is no native TOTP-support. Started to set up Authelia (and looked at Authentik) but gave up. Spinning up several new containers, edit config files and trying to learn all about this new topic proved too much for me. I see people asking all the time about 2FA/TOTP-support. I really hope this would be reconsidered.

[brechsteiner]

@Finkregh Interesting, I have not found anything in the documentation, can you show me where this function is described?

[englut]

@brechsteiner it looks like it's something like this: https://fardog.io/blog/2017/12/30/client-side-certificate-authentication-with-nginx/.

I'm unsure how this will play with the mobile app.

[Finkregh]

@Finkregh Interesting, I have not found anything in the documentation, can you show me where this function is described?

In the mobile app settings in "Sonstiges" in german - bottom entry - you can choose a client ssl certificate.

Also: https://git.h.oluflorenzen.de/finkregh/scratchpad/wiki/mTLS-with-cfssl-generated-certificates

[englut]

In the mobile app settings in "Sonstiges" in german - bottom entry - you can choose a client ssl certificate.

Also: https://git.h.oluflorenzen.de/finkregh/scratchpad/wiki/mTLS-with-cfssl-generated-certificates

Oh neat! I will test this out myself. This is a much stronger 2FA. Maybe the Immich team should push this instead if they're not wanting TOTP 2FA implementations.

[englut]

Got it working! Typically I had my server behind cloudflare, but cloudflare doesn't pass through client certificates. Cloudflare also has their own client certificate mechanism, but it only works for APIs and IoT devices, blocks my browser requests. So now I'm stuck deciding between Cloudflare or Client Certificate auth 😞

No matter what, we're stuck with a compromise. We really need TOTP 2FA.

[zynexiz]

Would also want see an implementation of TOTP 2FA to add extra layer of security, specially on interface facing the open internet. Lot of open source apps I use have this, like NextCloud and Firefly III, and it's easy to enable without any additional running services. Doesn't seem to be that hard to implement either after what I researched earlier.

It's pretty crucial for security reasons. If someone manage to brute force the login, you are screwed. Having 2FA prevents malicious actor gaining access even thru brute forcing. I looked into OAuth, and although it's good, it require additional services and configurations to be set up for one service, which I would argue that many skip because of the added complexity.

[nesalkiN]

It's a very odd decision.

I chose Immich specifically to avoid dependency on external services. But if the alternative is setting up a new container, keeping it safe and updated, editing config files, configuring the reverse proxy (more file editing), adjusting DNS settings and learning an entirely new process just to have some form of TOTP/2FA exclusively for Immich, that’s just too much.

I really like Immich, and I’m very grateful to the developers, but for me, this is a hard pill to swallow.

[Murguth]

I do totally agree with you.

[brechsteiner]

@schuhbacca I know that it is a design decision that auth should be delegated to an IdP. But not all users are able to operate an IdP, especially if only for one app. That's why I'm asking you to add this feature request to the roadmap.

[englut]

I wouldn’t mind looking into implementing this feature myself. But I don’t want to have my PR auto rejected because it’s a design choice. I still strongly believe this is a necessary feature and don’t mind contributing.

[deanfourie1]

Just look at the amount of interest in this thread alone, how can this be ignored or prs rejected. So strange.

[bo0tzz]

This has been covered thoroughly in a handful of other places, but I'll rehash it here once more. Implementing a good authentication system is hard, and therefore easy to get wrong, while being exactly the sort of thing you do not want to get wrong. We decided a long time ago that the risk of getting it wrong is not worth it, because it is easy enough to support OAuth and delegate the hard parts to other people who know what they're doing and have all the auth stuff figured out. That's an application security decision that community interest doesn't have much bearing on.

There are many great OAuth providers out there, including options you don't have to manage yourself such as using something like Github as the OAuth provider. If you have the knowledge necessary to manage Immich, you can also figure out OAuth, and then you can rest easy knowing that the critical authentication layer is being handled by people who are fully focused on getting it right.

[bo0tzz]

We've drawn the line where it is now. Moving that for just one "simple" thing invites discussion to move it some more for another "small addition" etc, we're not going there. If you want TOTP, set up an IDP for OAuth. That's also not a complicated thing to implement ;)

[englut]

@bo0tzz can the dev team refer a simple one for users to setup at least? maybe there can be a docker-compose to easily set one up. This is the only self hosted app that I have that supports OAuth, so it'd be the only one I need it for. I do appreciate that immich allows for client certificates in the mobile app, so thanks for approving that PR!

[Allexio]

@bo0tzz can the dev team refer a simple one for users to setup at least?

I am not part of the dev team, but I can definitely recommend Authelia (not affilliated with Authelia either, just so we're clear).

Instructions are pretty clear on the wiki, and there are also multiple third party articles on how to set it up if you really need extra help.
I've always been able to get help on their discord when I had an issue (which was always because of a mistake I made).

Honestly I know I initially complained about Immich not supporting MFA directly, but now that I've implemented Authelia on my server I feel like it was something that was much needed, my server is more secure and my users only have one set of credentials.

It's just better for everyone involved.

Authelia setup guide: https://www.authelia.com/integration/prologue/get-started/
Immich Authelia integration guide: https://www.authelia.com/integration/openid-connect/immich/

[wobfan]

@bo0tzz can the dev team refer a simple one for users to setup at least?

I am not part of the dev team, but I can definitely recommend Authelia (not affilliated with Authelia either, just so we're clear).

Instructions are pretty clear on the wiki, and there are also multiple third party articles on how to set it up if you really need extra help. I've always been able to get help on their discord when I had an issue (which was always because of a mistake I made).

Honestly I know I initially complained about Immich not supporting MFA directly, but now that I've implemented Authelia on my server I feel like it was something that was much needed, my server is more secure and my users only have one set of credentials.

It's just better for everyone involved.

Authelia setup guide: https://www.authelia.com/integration/prologue/get-started/ Immich Authelia integration guide: https://www.authelia.com/integration/openid-connect/immich/

While I'm thankful for the references, and even searched for more detailed, simpler, guides, I cannot refrain from just urging the maintainers to at least consider to move the line in regards to auth a little further.
I am by no means an amateur, and even have worked with Keycloak some years ago in a production environment, but setting up Authelia without reading into it's extensive documentation from the start, probably digging into OAuth before, to know all the vocabulary (which is impossible), I'd say that no one can and should set up this auth environment, because the risk of an insecure setup is incredibly high.

One could now reply "yeah, but this is their responsibility", and would be right, but in my honest opinion, I think most of the amateur hobby users of Immich, who just want to ditch the big privacy-invading companies like Google and the other big cloud providers and want to store their data in their proximity or at least on their servers, won't be able or not be willing to go through this. And by this, we're "f, worcing" them to leave it to user password login, without any other factor. Which in the end just is, and will continue to be, an unsafe configuration, when your server should be available from outside of your local network. Sure, still, it's their decision.

To draw a line here: I am not a maintainer or contributor so I am not in the position to be mad at anyone here, and instead am incredibly grateful to anyone working or contributing to this beautiful, almost too good to be true open source project. Also, I respect the clear decisions of the maintainers, if they stay like they are. Still, I wanted to at least state my opinion here one last time. Sorry for the spam, and thanks for all the great work.

[Nornode]

As a new user this decision is very very hard to understand.
I use many different self hosting services and add in MFA and Yubikey when possible.
The implementation that Vaultwarden uses seems easy enough without too many moving parts still ensuring the capability.

[dansity]

I have tried to setup Authentik but it went so over my head I don't even know what I was looking at. I'm not an IT guy. I'm also behind CGNAT and my only option is cloudflare tunnel which makes everything even more complicated with certificates.
pls add TOTP, thanks

[Mr-Boshi]

I can "succeed" but I won't put the time in to do it just for 1 of many services I selfhost. I will use Google as of now.

But the fun in authentik is specifically to provide SSO (and MFA) for many self-hosted services at once (even for those without any build-in authentication at all). If you run "many services", you can potentially benefit from using it for at least a couple of them... But it's your time, so whatever floats your boat, no disrespect.

[nesalkiN]

Yes, I can see the use but why would I introduce another system with its own update requirements, backups and usage of resources? I don't need it for any other "app". I see that it could be useful, sure but I'm not thinking about myself only here. Some people just want to self host immich and nothing else. Setting up some oauth solution will probably not happen in those cases so my guess is we will see lots of instances just protected with passwords and no 2FA when Immich go stable.

I'm OK with Google for now but it's quite ironic to still depend on 3rd party. 😉
Each to their own.

[Mr-Boshi]

There are things to be done by developers and things to be done by the enduser.

Exactly. The most important thing to be done by the enduser is to choose the software that fits his/her needs and set it up properly.

There is a way to get Immich with TOTP right now, there are numerous tutorials on how to do it. Use external SSO. Or maybe a VPN instead?
And there is also a way to get a change for build-in TOTP in 10 years...
The choice is yours.

[Mr-Boshi]

Some people just want to self host immich and nothing else. Setting up some oauth solution will probably not happen in those cases.

I hear you, and I agree.
But to host Immich is not just to deploy a single stack. You have to setup a reverse proxy, DNS records. Setup ports, NAT, firewall. Get a domain and ssl as an option. There is a lot of stuff to do and to be honest I am not that sure that adding a oauth (a developed and robust one) into the bucket making it that much more.
There is also always an option to set some kind of VPN or another tunnel.

[Mr-Boshi]

To put it simply: you either are concerned about your data security and get yourself a MFA right now/don't expose Immich to the internet, or you are not that worried about security anyway.
Arguing on GitHub is not a security patch 😁

[torik988]

It's crazy that this kind of safety feature is not on the priority development list.
For a project handling such important information (personal photos) and being this popular (one of the best self-hostable photo libraries), and even after all the messages from users (more than a dozen), it's surprising that this major safety feature is still not considered important enough to be added. Hopefully, some of the team will reconsider the importance of this feature.🫡

[SoPat712]

Yeah, not to necropost, but it seems like almost every other self hosted app I expose to the internet has some form of TOTP build into it; Home Assistant, Plex, Uptime Kuma. I'd love an implementation for Immich as well, since I can't exactly give my grandparents Tailscale and expect them to figure it out every time, so I just have to publicly host it.

[mueller-lukas]

Hi everyone,

I wanted to share my thoughts on this important topic. As someone who values the privacy and security of my personal photos, I'm genuinely concerned that Immich doesn't offer built-in support for TOTP/2FA. Our photos capture precious moments and memories, and the idea of someone gaining unauthorized access to them is alarming.

I truly believe Immich has the potential to be an excellent alternative to Google Photos and iCloud. However, the lack of this essential security feature is a significant oversight. Implementing TOTP/2FA should be a priority, making it easy for all users to protect their sensitive data. There's clearly a strong interest in this feature, and I hope it will be reconsidered as 2FA is a necessity for any login system, even a simple one.

[nesalkiN]

This topic feels sensitive for some reason. Try to mention it on Discord and you will be cut off fast and hard. I have given up on it. I understand the "use oauth"-thing but it's not that easy or black and white.

[alextran1502]

@nesalkiN I don't think it is sensitive, just that we have decisions that we would like to stick to.

There are reason why OAuth provider project exist as a standalone project, such as Authentik, Authelia, Zitadel...etc. Security is hard

Let's say we decide to implement one way to use OAuth natively in the app, users will ask for more features within OAuth. Which will take time and effort away from actual developing a photo and video management part of Immich.

It would be better off for users that want OAuth to use solutions that are implemented by security oriented developers, we don't want to give the user a false sense of security by just having it in the application.

I hope this helps clear up things

[nesalkiN]

I'll just repost my answer. Used ChatGPT to correct my English and destroyed everything when I tried to paste it. 😉

We just ask for 2FA using TOTP like every other self-hosted app that supports 2FA. If you want to use OAuth, great! That option should still be available.

Security is hard, yes but adding extra layers makes it even harder. Spinning up additional containers that we need to understand, configure, keep updated, and integrate with our reverse proxies is a lot of work, especially for just one self-hosted app. The biggest risk I see here is that people will simply skip it and leave Immich without 2FA protection. I know I did, until I started feeling very uneasy (since these are personal and private pictures). Now, I use Google for OAuth, but that also feels counterintuitive. I wanted to reduce my reliance on third parties like Google, not add to it.

I understand that this is ultimately up to the user, but the current choices are very limited. Right now, it's either no 2FA at all or OAuth via a third-party provider that you also have to set up, learn, and manage (or just default to Google or some other provider).

This request comes up a lot, and people ask for it for a reason. I've made peace with using Google OAuth for now if I want to stick with Immich. I just think that's a bit of a shame. Additionally, people expect 2FA to be native nowadays. They don’t wonder if it's available, they assume it is. Most won’t even check the documentation for it. Instead, they might ask on Discord where to find the 2FA settings, only to be shut down pretty quickly. I get that the question gets repetitive, but for the individual asking, it’s an honest question about something that they naturally assume every app supports by default these days.

Thank you for your answer! I really appreciate it. And I love Immich. So thanks again.

[dansity]

@alextran1502 the problem is Authentik, Authelia is really difficult to setup. And when I say difficult I mean nearly impossible for the avarage user.
I dont think anyone asked the devs to develop a full security package from zero, maybe implement something like Keycloak?
https://github.com/keycloak/keycloak

[Aralox]

I was excited to discover Immich and have just set it up today, and was trying to find the 2FA setting above like @nesalkiN mentioned - I assumed it's available, because it's basically a no-brainer. I am genuinely shocked to see that it's not available, and that I'm expected to host some sort of thing that provides my own OAuth. I have no idea how to do that and just don't have the capacity to figure it out. I'll have a shot at using google OAuth, but my wife won't be able to do that. (EDIT: Just looking at the instructions for configuring Google OAuth, I can see why this just isn't viable. It's ridiculously complex - the target audience here are people who want a Google Photos replacement, not people willing to spend hours learning how to just log in). I have my Immich instance exposed to the internet via Cloudflared on my Home Assistant (Immich running as an addon). It's great and all just works. My HA gets pinged by bots every other day trying to log in, but I'm not worried, mostly because of 2FA. I feel nervous leaving Immich open without 2FA.
If the code is really that difficult, I'd be happy with even a basic thing like sending an email with a confirmation link before logging in. Just anything between the open internet and a password string to get into my Immich server.
I really hope the priority of this gets through to someone. Thank you for your work!

[dansity]

If you are using cloudflare you can use the 2FA service of CF. It is email based but does the job. Follow this video: https://youtu.be/J4vVYFVWu5Q

[Aralox]

Thank you @dansity! I have set this up on my and my wife's phone. I feel much better about accessing Immich externally, and now it's qualified to be a viable Google Photos replacement for us.

[alexberdnik]

As a workaround if you use nextcloud, you can enable 2fa there and use it as an oath provider.

[RadioHerzblut]

Hello everyone,

About a year ago, I made a conscious decision to switch to open source - out of conviction and with the aim of taking full control of my data into my own hands.

I no longer want to be dependent on large corporations to collect and analyse my information. Instead, I want transparency, self-determination and digital independence - in my own home, on my own systems.

For me, authentication is also an important part of this digital sovereignty: it should not run via centralised services of the ‘big players’, but should be decentralised and trustworthy.

That's why I would be delighted to see support for TOTP or two-factor authentication - another important step towards security and freedom for everyone who relies on open source!

[AbelLykens]

I understand the same feelings many others have written up here. I also used to feel the same too: I really thought TOTP should be part of the product.

I have since, because of this "limitation" set up Authelia. It's FOSS too. Originally only for Immich, now I use it for 20+ of my home/hosted apps.

Authentication is hard. I understand why Immich does not want to add it to their product.

Bonus for me: now Authelia has Passkey support too, and I now got that "for free" for Immich as well. And did not have to bother Immich devs to add Passkey support (after adding TOTP support). And The Next Thing in Authentication I'll get from Immich, and Immich doesn't have to use their dev time.

I believe devs have made it clear enough why TOTP shouldn't be in Immich. Although I was annoyed, I do agree (now).

[torik988]

I was just about to share a similar perspective — glad to see others have come to the same conclusion.

Personally, I chose to go with Authentik as my identity provider. I originally set it up solely for Immich, but I now rely on it for over five of my self-hosted services. What started as a workaround ended up being a major improvement in how I manage authentication across my stack.

While I initially wished Immich had native TOTP support, I’ve come to appreciate the reasoning behind the developers’ decision. Offloading authentication to a dedicated service not only simplifies Immich’s scope, but also allows me to benefit from new features — like Passkey support — without waiting on specific product updates.

This approach has turned out to be more scalable and future-proof than I expected.

[Zer0CoolX]

Just setup Immich. It overall looks stellar and I greatly appreciate all the work that went into it.

I was, however, shocked to see no option for 2FA/TOTP built in once I logged in for the first time.

The devs have every right to choose how, what and if they do a thing...

Having said that, the statement being given that "Auth is hard so we decided to not implement this important security feature" is counter intuitive for multiple reasons:

1. Auth is hard, so make individuals responsible for setting up external auth and 2FA. The chance individuals mess it up or simply don't implement 2FA is now higher vs a built in 2FA having an issue.
2. There are countless other open source software implementing 2FA. Is it not possible to use any of them as a reference to implement a reliable, low risk solution with reduced effort?
3. Password auth is already built in. I assume the devs trust their work on this feature enough to include it. Whats more risky? People use the built in auth with no 2FA or the devs implement TOTP as 2FA in combination with existing password auth?
4. Using an external auth solution has its own security risks as a single point of failure. Some people may not want all their services using a single auth provider.

I hope the devs reconsider this stance.

[wheremygit]

I'm honestly surprised that Immich encourages outsourcing 2FA entirely. Many self-hosted projects like Vaultwarden, Firefly III, and Pi-hole implement TOTP or even basic email based 2FA -- and for good reason.

Photos are sensitive data and leaving them protected only by a password (even via OAuth) is risky. Adding basic 2FA (even email based 2FA) support internally, even as an option, would go a long way in improving user security & trust.

[torik988]

At the beginning, I thought the same as you — a feature like TOTP should be a basic security feature and included in Immich. But the explanation from the team made sense: Immich easily supports external authentication platforms like Authelia, Authentik, or even Google OAuth.

At first, I didn’t want to set up another Docker container just for Immich. But after some research, I discovered that Authentik also supports my Proxmox instance, my Portainer instance, and many other services I run in my homelab. Now I have Authentik set up for all my services, and with one account secured with 2FA — for example, using my YubiKey — I can easily and securely access everything.

So, I think that anyone looking for 2FA in Immich should consider setting up an authentication provider like Authelia or Authentik.

Anyway, that’s just my two cents — do whatever works best for you. Have a great day!

[wheremygit]

At the beginning, I thought the same as you — a feature like TOTP should be a basic security feature and included in Immich. But the explanation from the team made sense: Immich easily supports external authentication platforms like Authelia, Authentik, or even Google OAuth.

At first, I didn’t want to set up another Docker container just for Immich. But after some research, I discovered that Authentik also supports my Proxmox instance, my Portainer instance, and many other services I run in my homelab. Now I have Authentik set up for all my services, and with one account secured with 2FA — for example, using my YubiKey — I can easily and securely access everything.

So, I think that anyone looking for 2FA in Immich should consider setting up an authentication provider like Authelia or Authentik.

Anyway, that’s just my two cents — do whatever works best for you. Have a great day!

I did set up Authentik and enabled it for Immich and Portainer as well. But honestly, I’m not very positive about it. For a small homelab setup, especially with limited resources, it adds unnecessary complexity.

You still have to secure Authentik itself with 2FA and that makes it a single point of failure. If anything breaks with Authentik, I lose access to all connected services. So I need to have password logins enabled for redundancy anyways. That’s a major risk in a setup meant to be reliable and self-sufficient.

Having native 2FA in Immich would be simpler, safer, and more in line with most other modern apps. Many tools like Firefly III, Nextcloud, Pihole, even Ente Photos, Bitwarden/Vaultwarden, and others already include built-in 2FA. It is not unreasonable to expect that here.

I get that the team wants to stay focused, but the justification hasn't been very convincing to me. Native 2FA is a basic, expected feature for any service managing sensitive personal data like photos.

[bo0tzz]

I lose access to all connected services. So I need to have password logins enabled for redundancy anyways.

Not really. In a pinch you can reenable password logins for Immich (https://immich.app/docs/administration/server-commands/) and I'm sure other services will have a similar option.

[wheremygit]

I appreciate the suggestion, and it’s definitely helpful to know about the CLI recovery option.

That said, my concern is more about the security model overall. Falling back to password login essentially bypasses 2FA, which kind of defeats the purpose of having it in the first place. It becomes a bit of a tradeoff between usability and security. I totally get that balance can be tricky. I'm not a dev, so I probably don’t fully appreciate how complex it is to implement something like this.

I just think that having native 2FA would really improve both the simplicity and the resilience of the setup especially for users who don’t want to rely on external auth systems or manage additional infrastructure. I know everyone’s use case is different, but for small homelabs or personal servers which are exposed publicly, keeping things self contained and secure is really valuable. Especially when similar projects like Ente and PhotoPrism, as well as mainstream services like Microsoft OneDrive and Google Photos, already support native 2FA.

Thanks again for the replies and all the work you put into the project. It’s genuinely appreciated.

[bo0tzz]

It becomes a bit of a tradeoff between usability and security.

That's always the tradeoff between those two.

[LeCalicot]

I was disappointed to see that immich does not support 2FA.

I'm not an expert and want to run a small self-hosted server and this step looks beyond the amount of time I'm ready to dedicate to this task.

If there was some proper doc explain step by step how to set up 2FA with at least one other solution, it would be ok, but here is what I have in the doc: While the specifics of this setup vary from provider to provider, the general approach should be the same.. That's really unhelpful and clearly, as a beginner, I don't see a path to set that up.

[AverageHelper]

It would be nice to have Immich docs provide an example. In case it helps any, I know Authentik has a doc on integrating Immich with it that is generally kept up to date iirc: https://integrations.goauthentik.io/integrations/services/immich/

From my (limited) experience, Authentik looks a little complicated at first, with lots of buttons and knobs, and knowing which have security implications and which only merely behavioral or cosmetic can be hard, but Authentik has mostly reasonable defaults if most of the knobs are left as they are, and the OAuth registration flow isn't too bad imo, so it's what I've used.

[AverageHelper]

actually, I just checked and it looks like Immich has an example of the values used in Authentik, tho not a click-by-click tutorial from Authentik's admin dashboard to working OAuth registration.

As for admin-ing Authentik itself, you'll need to go to their docs and search forums for that 😅

[LeCalicot]

I just saw the example. My bad.

That link was helpful.

[LeCalicot]

Ok. I apologize, it was easier than I thought and I got it running.

There was just a mistake in the tutorial, it should read:

app.immich:///oauth-callback
http://[YOUR_DOMAIN OR SERVER_IP_PLUS_PORT]/auth/login
http://[YOUR_DOMAIN OR SERVER_IP_PLUS_PORT]/user-settings

I still think it would have been easier to have the 2FA included in Immich. Now I have to run an extra service on my server.

[wheremygit]

The sad part about Oauth is that you can still use password login which bypasses Oauth 2FA. I did set it up and found it very unnaturally and unnecessarily complicated for a homelab. And if I want my family to use immich, they won't understand a thing about oauth and would just rather prefer google photos.

The even sadder part is projects smaller than immich have 2fa implemented as well as its alternatives. So I find the dev team's reasoning very unconvincing. The very least they should do is email 2FA but ideally should have TOTP and eventually maybe passkeys.

[gabrigp]

I love Immich. I found it a week ago and I really like it as a self-hosted replacement for Google Photos.
To my surprise, I saw that, despite how advanced it looks, it didn't have two-factor authentication.
I read that you could use third-party services like Google. I set it up in Google Cloud and could log in from my computer, but I couldn't get the app to work on Android.
I tried installing Authentik and Authelia but couldn't; there was always some service that didn't work properly.
The one I was able to install was Zitadel, but it works perfectly in the web browser (as with Google directly), but again, it's impossible to get it to work in the apps.
I've searched the internet and spent hours asking for help from ChatGPT Plus and Gemini PRO, but it's been impossible.

This has left me in a very frustrating situation. I want to use Immich, but I see that it's not possible in my case to add more security than a simple password that can be brute-forced (although 1Password generates it for me).

My photos show my family or work documents that I photograph to keep handy. All of this can't be accessed with a simple username and password.

I'm sad, but I've had to suspend its use while waiting for the project to incorporate a native solution in the future that strengthens access, such as 2FA with Google Authenticator or similar, or for a simple solution like the app works with these external services (perhaps a step-by-step tutorial to solve the problem).

In the meantime, I'm leaving Inmmich aside.

[bo0tzz]

We've made our stance on this plenty clear (see the rest of this thread, and in particular my previous comment), and this thread has now just become a place to reiterate discontent, so I will lock it.