Synology DSM 7 – Improved Authentication Features
Every once in a while you will read news about data breaches and password leaks. Although strong passwords are great, majority of people use the same password everywhere. Once it is leaked in a breach, perpetuators would attempt logging in to other popular web services using the same credentials. This is where 2FA creates another barrier for them, rather than them gaining access right away with the credentials, they will be required to provide additional information from something you own (e.g. TOTP from Authenticator app) or something you are (e.g. fingerprint, facial recognition). Synology introduced these features in the latest DSM 7.0 release.
Let me run through this new DSM 7 feature on the Synology DS1821+.
Improved sign in process
DSM 7.0 introduced an improved sign in process that integrates multi-factor authentication (MFA). What MFA simply means is that you provide two or more verification factors. Examples of verification factors are:
| What you know | What you have | What you are |
|---|---|---|
| Password | TOTP from Authenticator app Hardware token | Fingerprint (Touch ID) Facial Recognition (Face ID) |
The three (3) methods of login introduced in DSM 7.0 are:
| Single-Factor | Password-less | Multi-Factor |
|---|---|---|
Password only | Secure SignIn or FIDO2 | Password + TOTP or Secure SignIn or FIDO2 |
Setting up DDNS and HTTPS on Synology NAS
In order to use TOTP (Time-Based One Time Password), Secure SignIn or FIDO2, you will need to access your Synology NAS using Fully Qualified Domain Name (FQDN) and via HTTPS. IP address via HTTPS does not meet the prerequisite. Luckily, Synology integrated a couple of DDNS providers. In fact, you can leverage Synology DDNS and Let’s Encrypt for this portion.
Setting up the DDNS using Synology as the provider. The additional certificate loaded.
Once you are done with the configuration, access your Synology NAS via its FQDN and head on to the next section.
I will leave a trick or two at the end of the article.
Securing my account with hardware token and TOTP
The hardware security token and software authenticator
I will be primarily using a hardware security token as my second factor. If you are intending to get one, do check out YubiKey from Yubico. Personally, I find them to be well-built and easy to carry around.
The tiny Yubico YubiKey 5 Nano. Previously I was using a laptop with USB-A ports. I had to use a USB-C to USB-A adaptor in order to use the YubiKey 5 Nano on the MacBook Pro.
For software authenticator, I typically rely on the Google Authenticator for Time-Based One Time Password (TOTP). Similar to Synology’s Secure SignIn, you can associate multiple accounts with different TOTP seed in the mobile app.
Securing my account on Synology NAS
Instead of writing, I documented the process with pictures with captions.
Navigate to your Personal account settings from the DSM desktop. You can find 2-Factor Authentication details at the bottom of the page. If you are setting up your hardware security token, select the same option as me. Verifying my identity to prevent me from setting 2FA on the wrong account or vice versa. I will be choosing USB Key as I am using the YubiKey. Recognising the hardware security key over FIDO2. Recognising the hardware security key over FIDO2. Naming the hardware security key for easy reference in DSM. Setting up TOTP as the backup 2FA. This is great in case I lose my hardware security key. Other than Secure SignIn, you can also use Google Authenticator. The standard way of setting up TOTP. Just in case you are really unlucky, you can still recover and switch to another device via email. Summary page of configured MFA for my user account. It now shows that I have 2-Factor Authentication enabled. YubiKey is listed as the hardware security key. The TOTP tab.
Logging in with hardware security key or TOTP
Again, I am letting the pictures to do the talking.
Navigate to your Synology NAS via its hostname and HTTPS. Keying in the first factor – password. Instead of using TOTP, I click on the “Try another sign-in method” below. Switched the second factor to hardware security key. It will remember this option subsequently. Inserting the security key to my computer and authenticating with DSM. After a quick verification, I am presented with the DSM desktop after this. I also tried the TOTP login method which required me to key in the numbers from Google Authenticator. Like the hardware security key method, I am presented with the DSM desktop after this.
Password-less login using Secure SignIn
You can also do password-less login using hardware security key (FIDO2) but I will be focusing on using the Secure SignIn app.
Setting up Password-less login
Under Personal settings, select Passwordless Sign-In. Set up sign-in approval from your mobile phone. Secure SignIn is available on both iOS and Android. Linking the Synology NAS with the Secure SignIn mobile app. Summary page of the configuration.
Logging in without using password (aka password-less)
The next step is approving this login via the Secure SignIn app on your mobile phone. To login, navigate to your DSM and enter your username. 
You will receive a push notification and you can then approve the login request. Once approved, you will be presented with the DSM desktop.
Tips
MFA for non-Internet accessible Synology NAS
By non-Internet accessible, I simply mean that you do not open your DSM to the Internet. If it is not opened to the Internet, how do we do the Let’s Encrypt certificate and access via hostname?
Long Expiry Certificate
With regard to the certificate, did you notice that I have a “Not Secure” message beside my DSM’s address in my screenshots? That is because I am using the default synology.com certificate with super long expiry time that comes with every Synology NAS. With this, you do not have to expose your Synology NAS for the periodic Let’s Encrypt certificate renewal.
FDQN resolving to local network IP address
As for the fully qualified domain name (FQDN), instead of having Synology DDNS detect your public Internet address automatically, manually input your local network IP address for the Synology NAS. This way, the FQDN resolves to your Synology NAS local network address.
Conclusion
I like that DSM 7.0 brought authentication security to new heights with the improved sign in process that integrates multi-factor authentication (MFA). I have 2FA enable for accounts with administrative privileges on my Synology DS1821+.
In view of good Cybersecurity hygiene, I strongly recommend that, minimally, user accounts with administrative privileges enable 2FA. That is either TOTP or hardware security key. If it is possible, all should enable 2FA.
In my opinion, between software authenticator (e.g. Google Authenticator) and hardware security key (e.g. YubiKey), thesoftware authenticator is more user friendly. Although the trust level of asoftware authenticator is lower than a decent hardware security key, it is still sufficient for normal people like you and me. We are less likely to be targeted by James Bond. Right?
Hope this review of Synology DSM 7.0’s improved authentication features has been insightful. Now, go turn on your 2FA.
