Great walk through!! I have a QUESTION here.. I haven't figured out how to enforce 2FA with pwd+hardware key alone. DSM requires me to set up the OTP (which I don't want to use since it's less secure as it can be stlen/replicated). does anyone have a solution or suggestion here?
Hi Enriq, Thanks for the feedback on the video and I'm happy it walked through the setup process well. Regarding your question, enforcing 2FA with pwd+hardware key it is possible, but you need to specifically use https when setting that up. I'll look into creating a video on the setup process in the near future so please subscribe and look for the video shortly. Good luck and please share if you did figure things out already.
One question in regards to using Secure Sign In app for storing the OTP accounts for use with the 2FA. Currently the app only supports backups to Synology Account. Meaning the backup will be stored at Synology. I am wondering why it is not possible to make local NAS backup of the OTP accounts. Do you have any thoughts on this? Synology has not been able to provide me a meaningful answer.
@nixxblikka Thanks, glad the video was helpful. Regarding your question about external access, I made the assumption that viewers of this video are interested in using Secure Signin to access their Synology NAS remotely. I guess you could setup Secure Signin for local access as well?
@@nixxblikka Ahh, I thought you'll need to activate external access. Regarding the USB key, it is just another hardware security option that can be used.
@@digital_aloha Sorry if not being clear, I woudl love to use my Yubikey with DSM however you must activate external access, and I dont know why Synology made this decision :-) happy sunday
I have a question. If I am using passwordless login and the hacker already knows my password, can the hacker log in to dsm without two-factor authentication? If possible, login without password will be evaluated as very weak in security.
In fact you can not have passwordless login and two-factor login simultaneously. Ergo, when you have passwordless login enabled the login page will serve up the option for alternative login method that does not have the 2FA attached any longer. Which is a serious gaping security hole in my opinion, it was for at least for me reason enough to not use passwordless login altogether.
Hi unknowofverify, forkless is right that you can't have passwordless login and two-factor login simultaneously. This reminds me of iOS's face id and MacOS touch id... You can use either of those options or use a password, but not both. Apparently there has been some thought that goes into passwordless/face id/touch id, but if it is possible I'd rather use two-factor authentication which is how I've setup my access to DSM (password and one-time key). Thanks for your great question!!
@ministratorful Good question/comment!! In all cases your email address will be available as last resort where an emergency verification code could be sent.
@theloniousMac Yeah, Secure SignIn is for signing in to DSM or other web based services. SMB doesn't have a 2-Factor Authentication or Secure SignIn option.
Again your videos are so goooooood very straight forward, I wish you 1 Million Subscribers
Thanks for the feedback and glad the videos are helping!!
Thanks a lot Sir for this video including all necessary parts briefly enough. Encourages me to check your other videos as well.
I'm glad the video was helpful for you. I hope you find my other videos helpful as well.
Great walk through!! I have a QUESTION here.. I haven't figured out how to enforce 2FA with pwd+hardware key alone. DSM requires me to set up the OTP (which I don't want to use since it's less secure as it can be stlen/replicated). does anyone have a solution or suggestion here?
Hi Enriq, Thanks for the feedback on the video and I'm happy it walked through the setup process well.
Regarding your question, enforcing 2FA with pwd+hardware key it is possible, but you need to specifically use https when setting that up. I'll look into creating a video on the setup process in the near future so please subscribe and look for the video shortly. Good luck and please share if you did figure things out already.
Thanks for the hint! I'll give it a try!!
@@cycledude_bcn Good luck to you!!
One question in regards to using Secure Sign In app for storing the OTP accounts for use with the 2FA. Currently the app only supports backups to Synology Account. Meaning the backup will be stored at Synology. I am wondering why it is not possible to make local NAS backup of the OTP accounts. Do you have any thoughts on this? Synology has not been able to provide me a meaningful answer.
Good video, do not understand why I have to enable external access for this…
@nixxblikka Thanks, glad the video was helpful. Regarding your question about external access, I made the assumption that viewers of this video are interested in using Secure Signin to access their Synology NAS remotely. I guess you could setup Secure Signin for local access as well?
@@digital_aloha na unfortunately not, you have to active external access... Maybe okay for the synology app, but why for a usb key?
@@nixxblikka Ahh, I thought you'll need to activate external access. Regarding the USB key, it is just another hardware security option that can be used.
@@digital_aloha Sorry if not being clear, I woudl love to use my Yubikey with DSM however you must activate external access, and I dont know why Synology made this decision :-) happy sunday
@@nixxblikka Got it 😀. I did misunderstand. Happy Sunday to you also!!
Perfect 👌
Thank you
You're welcome!! Glad the video was helpful!!
I have a question. If I am using passwordless login and the hacker already knows my password, can the hacker log in to dsm without two-factor authentication? If possible, login without password will be evaluated as very weak in security.
In fact you can not have passwordless login and two-factor login simultaneously. Ergo, when you have passwordless login enabled the login page will serve up the option for alternative login method that does not have the 2FA attached any longer.
Which is a serious gaping security hole in my opinion, it was for at least for me reason enough to not use passwordless login altogether.
Hi unknowofverify, forkless is right that you can't have passwordless login and two-factor login simultaneously. This reminds me of iOS's face id and MacOS touch id... You can use either of those options or use a password, but not both. Apparently there has been some thought that goes into passwordless/face id/touch id, but if it is possible I'd rather use two-factor authentication which is how I've setup my access to DSM (password and one-time key). Thanks for your great question!!
Hi forkless, Thanks for your input and insight.
if you Can't Access Using Secure SignIn, check' Nas's Time =Your Phone Time.'
@ministratorful Good question/comment!! In all cases your email address will be available as last resort where an emergency verification code could be sent.
It kinda sucks because it cannot be used with SMB.
@theloniousMac Yeah, Secure SignIn is for signing in to DSM or other web based services. SMB doesn't have a 2-Factor Authentication or Secure SignIn option.