For people asking for a way to run 2fa on jellyfin i have a solution. I will elaborate more if people are interested as not writing a guide for no reason. This method allows users to simply use their login credentials into the default jellyfin login page, and 1 second later your DUO app on your phone will buzz for a confirmation to sign-in. (meaning no redirects and this method 100% compatible with all clients)
install the LDAP plugin on jellyfin. install Authentik in your server with docker. create a DUO security account. in short, jellyfin query’s your Authentik LDAP server for ther user login, then LDAP will query DUO.
Unfortunately, DUO only allows 10 users with the free account, then you have to pay extra. of course with this method you are not bound to only use DUO, you could you a web-auth with your phones bio-metrics to sign-in instead of DUO. there are many ways you could query the users phone through Authentik, but DUO is the most continent.
This is a great approach, but I find myself not trusting Jellyfin’s preauth security posture. I’m just too concerned about a remote unauthenticated exploit that 2fa does nothing to prevent.
As a result, I’m much happier having Jellyfin access gated behind tailscale or something similar, at which point brute force attacks against Jellyfin directly become impossible in normal operation and I don’t sweat 2fa much anymore. This is also 100% client compatible as tailscale is transparent to the client, and also protects against brute force vs Jellyfin as direct network communication with Jellyfin isn’t possible. And of course, Tailscale has a very tightly controlled preauth attack surface… essentially none of you use the free/commercial tailscale and even self-hosting headscale I’m much more inclined to trust their code as being security-concscious than Jellyfin’s.