Either way the awesome tools in Synology DSM 7.0 have you covered completely for free and with minimal fuss 🙂
I’ve had a burr in my butt around the need for multifactor authentication on my server, especially for an admin account that if stolen, would be awful needless to say. It’s equally important for other accounts too depending on usage. But I come along kicking and screaming. I don’t login for good luck. I’m trying to do something and logging in is a distraction and a frustration if it takes much time or data entry. After setting up 2FA on my Synology DS-1520+ I’ve been real pleased with the outcome.
I’ll start with the outcome…let’s say I’m logging onto my NAS (directly or using one of my apps) and I’m prompted to authenticate. I enter my User Id and password and press enter. Now my web page tells me to approve the login at my phone.
I open the notice on my phone and hit Approve and I’m logged in 🙂
While I don’t welcome the interruption of another prompt, with two factor authentication being the goal I can’t see how it gets much easier than this.
The Secure Signin will also let you login using OTP codes.
It’s interesting to note that the security code can be generated and used even if your phone has no cell or internet connection. In fact you don’t even need a LAN connection to your NAS. The code is just good by itself since both the NAS and the phone have synchronized times and both of them know the secret key used to generate the code.
What if you don’t care about 2FA and just want a easier login?
Do you want the security of some authentication, but don’t want to mess around finding and typing in your long cryptic password all the time? You can setup your account for what’s called passwordless login. This will enable you, while holding your unlocked phone, to authenticate with literally one button press (avoid giving the phone an unlock code by setting up biometrics on the phone).
To see how easy this is let’s say I’m logging into the DS-1520 and I’m prompted to authenticate. I DO have to type in my user name.
Now when I click on the arrow I get this message in my browser window…
Now I look at my previously sleeping and locked phone…
So I tap on that message, my phone unlocks based on facial recognition, and I can approve or deny my waiting browser login…
At this point I’m done 🙂
OK so it works good but I bet setting it up is a nightmare right?
Nope – it was actually painless. As an administrator I didn’t have to do anything more than the basic server configuration I had in place where the server knows its domain name, is configured with security certificates, etc. as need for normal operation.
After that the setup of 2FA or passwordless login is all done by the user that wants that capability.
At the DSM desktop the user edits their account settings and has the option of setting up these login options.
With either passwordless or 2FA, now you point your phone at the QR code to download the app.
There’s one more code to scan in order to point the app to your server and then you’re done.
More to think about
I personally think if you have the option of getting an approve prompt on your phone and just pressing it is nearly as secure as true “2FA” where you type in a code you see on the phone, assuming your phone doesn’t stay unlocked of course. I’m no expert. It does mean that somebody that knows your user id and has your unlocked phone can login without your password. It also means somebody that knows your user id and password can login, which is what 2FA is there to prevent in the first place. Be your own judge.
- See PC Mag for a great review of authenticator apps. Using the Synology Secure Login app, I may not need any of these (not sure yet but the codes it generates should be usable anywhere given the standards).
- If you decide to set this up then don’t lock yourself out! Consider what happens when your phone is broken or dead. Various 2FA systems have ways around this. Synology will let you get codes via e-mail. And what if your e-mail is down or inaccessible too? In my case I created another admin account that I don’t use for anything but recovering another account (I can login as a different admin and go turn off 2FA for my real account). You never lock yourself out with passwordless login since you can always use your password without having the phone.
- If you use a verification code, understand using an authenticator app is distinctly better than getting sent a SMS text code. The SMS text is not secure, it takes time for the text message to reach you, and you need to have cell coverage for one thing.
- For Synology servers this is great article on making the server secure in general not just as related to authentication.