Every once in a while you will read news about data breaches and password leaks. Although strong passwords are great, majority of people use the same password everywhere. Once it is leaked in a breach, perpetuators would attempt logging in to other popular web services using the same credentials. This is where 2FA creates another barrier for them, rather than them gaining access right away with the credentials, they will be required to provide additional information from something you own (e.g. TOTP from Authenticator app) or something you are (e.g. fingerprint, facial recognition). Synology introduced these features in the latest DSM 7.0 release.
Let me run through this new DSM 7 feature on the Synology DS1821+.
Improved sign in process
DSM 7.0 introduced an improved sign in process that integrates multi-factor authentication (MFA). What MFA simply means is that you provide two or more verification factors. Examples of verification factors are:
|What you know||What you have||What you are|
|Password|| TOTP from Authenticator app|
| Fingerprint (Touch ID)|
Facial Recognition (Face ID)
The three (3) methods of login introduced in DSM 7.0 are:
Secure SignIn or FIDO2
| Password |
TOTP or Secure SignIn or FIDO2
Setting up DDNS and HTTPS on Synology NAS
In order to use TOTP (Time-Based One Time Password), Secure SignIn or FIDO2, you will need to access your Synology NAS using Fully Qualified Domain Name (FQDN) and via HTTPS. IP address via HTTPS does not meet the prerequisite. Luckily, Synology integrated a couple of DDNS providers. In fact, you can leverage Synology DDNS and Let’s Encrypt for this portion.
Once you are done with the configuration, access your Synology NAS via its FQDN and head on to the next section.
I will leave a trick or two at the end of the article.
Securing my account with hardware token and TOTP
The hardware security token and software authenticator
I will be primarily using a hardware security token as my second factor. If you are intending to get one, do check out YubiKey from Yubico. Personally, I find them to be well-built and easy to carry around.
For software authenticator, I typically rely on the Google Authenticator for Time-Based One Time Password (TOTP). Similar to Synology’s Secure SignIn, you can associate multiple accounts with different TOTP seed in the mobile app.
Securing my account on Synology NAS
Instead of writing, I documented the process with pictures with captions.
Logging in with hardware security key or TOTP
Again, I am letting the pictures to do the talking.
Password-less login using Secure SignIn
You can also do password-less login using hardware security key (FIDO2) but I will be focusing on using the Secure SignIn app.
Setting up Password-less login
Logging in without using password (aka password-less)
MFA for non-Internet accessible Synology NAS
By non-Internet accessible, I simply mean that you do not open your DSM to the Internet. If it is not opened to the Internet, how do we do the Let’s Encrypt certificate and access via hostname?
Long Expiry Certificate
With regard to the certificate, did you notice that I have a “Not Secure” message beside my DSM’s address in my screenshots? That is because I am using the default synology.com certificate with super long expiry time that comes with every Synology NAS. With this, you do not have to expose your Synology NAS for the periodic Let’s Encrypt certificate renewal.
FDQN resolving to local network IP address
As for the fully qualified domain name (FQDN), instead of having Synology DDNS detect your public Internet address automatically, manually input your local network IP address for the Synology NAS. This way, the FQDN resolves to your Synology NAS local network address.
I like that DSM 7.0 brought authentication security to new heights with the improved sign in process that integrates multi-factor authentication (MFA). I have 2FA enable for accounts with administrative privileges on my Synology DS1821+.
In view of good Cybersecurity hygiene, I strongly recommend that, minimally, user accounts with administrative privileges enable 2FA. That is either TOTP or hardware security key. If it is possible, all should enable 2FA.
In my opinion, between software authenticator (e.g. Google Authenticator) and hardware security key (e.g. YubiKey), thesoftware authenticator is more user friendly. Although the trust level of asoftware authenticator is lower than a decent hardware security key, it is still sufficient for normal people like you and me. We are less likely to be targeted by James Bond. Right?
Hope this review of Synology DSM 7.0’s improved authentication features has been insightful. Now, go turn on your 2FA.