Set Up 2FA on Synology NAS to Reduce Attack Surface: Comprehensive Guide
Like any network-connected device, network-attached storage (NAS) is vulnerable to cyber threats. And according to Synology Product Security Advisory, Synology NAS had a few critical vulnerabilities with the high severity and CVSS v3 Base Score of 9+. In our previous blog, we offered several ways to protect your Synology NAS from malware, but we saved a separate spot for two-factor authentication.
In this blog post, you’ll learn all types of the Synology NAS two-factor authentication setup process. And as a bonus, you’ll find out why Passwordless sign-in offered by Synology shouldn’t be confused with 2-factor authentication.
How to Set Up 2FA on Synology NAS? (estimated setup time ~ 3 mins)
How Do You Enforce 2FA for Synology NAS Users? (estimated setup time ~ 2 mins)
(Advanced bonus topic) Passwordless Sign-In vs. 2-Factor Authentication
How to Set Up 2FA on Synology NAS?
The two-factor authentication (2FA) setup on a Synology NAS device is pretty straightforward.
Let’s walk through the setup process for all the options, and see their differences. Start by following these steps:
- Click on the user icon > select Personal from the dropdown > go to the Account tab > click on 2-Factor Authentication.
Note: You can’t set up 2FA for your account from the Control Panel.
If your DSM version is 6.2.4 and older, you might also see the Enable 2-step verification checkbox. If you do, click on it and follow the process.
If you haven’t set up your email account before, you’ll see the following pop-up window:
If you see it, click Yes and follow the instructions. At the end of the process, click Apply and click Enable 2-step verification one more time.
2. Synology offers THREE options to enable 2FA, here you can select which one
Option 1: Approve sign-in
Option 2: Verification code (OTP)
Option 3: Hardware security key
If you aren't sure what option to take, opt for Option 2 - the OTP. It is a good combination of convenience and security. In case you're looking for the highest level of protection, Option 3 might be more secure, but it requires investing in a hardware security key.
Now let’s see the setup process for all three options.
Option 1: Set up Approve sign-in for 2FA
To set it up, follow these steps:
- Click on Approve sign-in in the Set up 2-factor authentication window.
- Verify your account password.
- Next, you’ll be offered to install the Secure SignIn app. You can do that using the corresponding QR code on the screen. When done, click Next.
- Then, scan the QR code in a Secure SignIn app on your phone.
- Enter the OTP code from the app in your browser > click Next.
- Type in your account (backup) email address > click Next.
- Click Done, and you’re all set.
Option 2: Set up Verification code (OTP) for 2FA
This 2FA option supposes using a one-time password (OTP) from an authenticator app. Synology recommends setting up OTP as a backup sign-in method even if you opt for the Approve sign-in or Hardware security key options because you can use OTP sign-in even when your device is offline.
To set it up, follow these steps:
- Click on Verification code (OTP) in the Set up 2-factor authentication window.
- Verify your account password.
- Next, you’ll be offered to install the Secure SignIn app. You can do that using the corresponding QR code on the screen. Click Next if you want to use another authenticator.
- Scan the QR code with your Secure SignIn app or an authenticator of choice.
- Enter the OTP code from the app in your browser > click Next.
- Type in your account (backup) email address > click Next.
- Click Done, and you’re all set.
Option 3: Set up Hardware security key for 2FA
This option allows you to sign in using a USB Yubico key or Touch ID in macOS .
Before setting up the Hardware security key as your 2-factor authentication, you should configure the Dynamic Domain Name System (DDNS) by going to Control Panel > External Access > DDNS. You can check detailed instructions on how to do it in the Synology Knowledge Center.
Then, to set up the Hardware security key, follow these steps:
- Click Hardware security key in the Set up 2-factor authentication window.
- Verify your account password.
- Select the key type (USB key or if on macOS select Touch ID/Face ID)
- Follow the instructions for your key type.
- At the end of the process, type in your account (backup) email address > click Next.
- Click Done, and you’re all set.
How Do You Enforce 2FA for Synology NAS Users?
If you have admin rights, you can enforce 2-factor authentication for selected or all users. To do so, follow these steps:
- Go to Control Panel
- Open the Security tab > Account
- Click on Enforce 2-step verification for the following users
- Select specific users/groups or choose All users
Your Synology NAS users will get the following message when signing in:
Synology NAS: Passwordless Sign-In vs. 2-Factor Authentication
We recommend 2FA for Synology NAS as it is more secure. However, here we explain the differences between Passwordless Sign-In and 2-Factor Authentication for curious minds.
As we’ve seen above, when going to Account > Personal, you can choose between Passwordless Sign-In and 2-Factor Authentication.
Even though they both offer Approve sign-in and Hardware security key options, they aren’t interchangeable.
Important: Passwordless Sign-In doesn’t include the second layer of account protection. It might be faster than 2-Factor Authentication, therefore, more convenient, but Passwordless Sign-In doesn’t offer an extra security barrier.
Security Protection Comparison Table
Adding DNS firewall
Two-factor authentication is crucial to enhance the security of your Synology NAS, but it still leaves your device vulnerable to several network attacks, like remote code execution (RCE). If you want to protect your privacy, prevent malware infections, and filter your web traffic, you would need a firewall. However, the majority of firewalls require long manual installation. To get a solution that protects your NAS device in one click, try DNS firewall by AP Lens for free.
Our DNS firewall uses whitelist which stops unknown outbound traffic from your Synology. So no malware can communicate with external hosts.