Jellyfin 2FA Setup 2026: TOTP Plugin + Authelia SSO (Step-by-Step)

Jellyfin Two-Factor Authentication (2FA) in 2026: Complete Guide

If your Jellyfin server is accessible from the internet - through a reverse proxy, Cloudflare Tunnel, or VPN - a username and password alone is not enough. One leaked credential and someone has full access to your media library, your users' data, and potentially your entire homelab.

Two-factor authentication (2FA) adds a second verification step - typically a 6-digit code from an authenticator app - that makes stolen passwords useless.

This guide covers every method to enable 2FA on Jellyfin in 2026.

Does Jellyfin Have Built-In 2FA?

As of Jellyfin 10.11.7 (April 2026), Jellyfin does not have native two-factor authentication built into the core server. However, there are two well-established approaches:

Both methods are production-ready in 2026.

Method 1: TOTP Plugin from the Jellyfin Plugin Catalog

The simplest way to add 2FA to Jellyfin. This plugin adds a TOTP (Time-based One-Time Password) step to the standard Jellyfin login flow.

How TOTP Works

1. User enters username and password as usual
2. If 2FA is enabled for that account, Jellyfin prompts for a 6-digit code
3. User opens their authenticator app (Google Authenticator, Authy, Bitwarden, etc.) and enters the code
4. Access granted only if both password and code are correct

Installation

1. Open your Jellyfin Dashboard
2. Navigate to Dashboard → Plugins → Catalog
3. Search for "Two-Factor Authentication" or "TOTP"
4. Click Install
5. Restart your Jellyfin server

Note: The plugin name in the catalog is "Two-Factor Auth" or similar - search for "two-factor" or "totp" to find it.

Configuration

After installation and restart:

1. Go to Dashboard → Plugins → Two-Factor Authentication
2. The plugin settings page allows you to:
   • Enable/disable 2FA globally
   • Require 2FA for admin accounts
   • Set grace period for new setups

Setting Up 2FA for Your Account

1. Go to your User Profile → Security (or the plugin's user settings page)
2. Click Enable Two-Factor Authentication
3. A QR code appears on screen
4. Open your authenticator app → Scan QR Code
5. Enter the 6-digit code displayed in your app to verify
6. Save your backup codes - store them securely offline

Recommended Authenticator Apps

Recommendation: Use Aegis (Android) or 2FAS (cross-platform) - both are open source and support encrypted backups.

What Happens If You Lose Your Authenticator?

This is the most common 2FA failure scenario. Prepare for it:

1. Save backup codes when you first enable 2FA - store them in a password manager or printed in a safe
2. Admin override: A server admin can disable 2FA for any user from the dashboard
3. Database reset: As a last resort, the plugin's 2FA data can be cleared from the Jellyfin database

Critical: If you are the only admin and lose your authenticator without backup codes, you will need to manually edit the Jellyfin database to regain access. Always save backup codes.

Method 2: SSO-Based 2FA with Authelia or Authentik

For a more robust setup - especially if you run multiple self-hosted services - use an external identity provider (IdP) that handles authentication and 2FA before Jellyfin ever sees the request.

How It Works

User → Reverse Proxy → Authelia/Authentik (login + 2FA) → Jellyfin

The IdP intercepts the request, authenticates the user (password + 2FA), and only forwards authenticated requests to Jellyfin.

Option A: Authelia (Lightweight)

Authelia is a lightweight authentication server that sits behind your reverse proxy.

# docker-compose.yml snippet
services:
  authelia:
    image: authelia/authelia:latest
    volumes:
      - ./authelia/config:/config
    ports:
      - 9091:9091
    restart: unless-stopped

Configure Authelia to require 2FA for your Jellyfin domain:

# authelia configuration.yml
access_control:
  default_policy: deny
  rules:
    - domain: jellyfin.yourdomain.com
      policy: two_factor

Authelia supports:

• TOTP (Google Authenticator, Authy)
• WebAuthn (YubiKey, hardware security keys)
• Duo Push notifications

Option B: Authentik (Full-Featured)

Authentik provides a complete identity platform with a web admin UI, LDAP support, and advanced policies.

For Jellyfin integration, install the jellyfin-plugin-sso plugin:

1. Dashboard → Plugins → Catalog → SSO Authentication
2. Configure OIDC provider pointing to your Authentik instance
3. Users see a "Sign in with Authentik" button on the Jellyfin login page

Authentik supports:

• TOTP
• WebAuthn / FIDO2
• SMS (not recommended)
• Push notifications

Authelia vs Authentik for Jellyfin 2FA

Which Method Should You Choose?

2FA Best Practices for Jellyfin Admins

1. Enable 2FA for all admin accounts - no exceptions

Admin accounts can delete libraries, modify users, and access server logs. They must have 2FA.

2. Consider 2FA for all remote users

If your server is accessible from the internet, every account is a potential attack vector.

3. Use hardware security keys for maximum security

WebAuthn with a YubiKey is phishing-resistant - unlike TOTP codes, it cannot be intercepted by a fake login page.

4. Combine 2FA with Fail2Ban

Even with 2FA, brute-force attempts waste server resources. Fail2Ban blocks IPs after repeated failures:

[jellyfin]
enabled = true
maxretry = 5
bantime = 3600

5. Monitor failed login attempts

JellyWatch sends push notifications for authentication failures - you know immediately if someone is trying to break in.

Does 2FA Work with Jellyfin Mobile Apps?

Important: Some third-party clients authenticate directly via the Jellyfin API and may not support the 2FA prompt. For these clients, SSO-based 2FA (Authelia/Authentik at the reverse proxy level) is more reliable because it intercepts the connection before the API is reached.

FAQ

Does Jellyfin have built-in 2FA? Not natively in the core server. Use the TOTP plugin from the plugin catalog or an external SSO provider like Authelia or Authentik.

Where do I find the 2FA plugin in the Jellyfin catalog? Dashboard → Plugins → Catalog → search for "Two-Factor Authentication" or "TOTP".

Can I require 2FA for some users but not others? With the TOTP plugin, 2FA is typically per-user - each user enables it individually. With Authelia/Authentik, you can set policies per user group.

What if I lose my phone with the authenticator app? Use your backup codes to log in, then reconfigure 2FA with a new device. If you have no backup codes, another admin can disable your 2FA from the dashboard.

Is 2FA enough to secure my Jellyfin server? 2FA is one layer. Combine it with: HTTPS (reverse proxy), Fail2Ban, strong passwords, regular updates, and monitoring (JellyWatch).

Does the TOTP plugin survive Jellyfin updates? Yes. Plugins persist across updates. However, after a major version upgrade (e.g., 10.11 → 12.0), check plugin compatibility.

Security Checklist for Jellyfin in 2026

Secure your server - then monitor it from your pocket. Download JellyWatch on Google Play - failed login alerts, session monitoring, and server health for Jellyfin admins on Android.

On Emby? Download EmbyWatch on Google Play - the same security monitoring experience for Emby servers.