2-step verification · NAS server · Secure your NAS

Secure your synology with 2-step verification login

To add a layer of security to your synology, you can enable 2-step verification. Here is how you do it:

You will need either:

  • an iphone or ipad to install an authenticator app
  • or an android phone
  • or a blackberry, to be able to authenticate yourself. (Continue reading for more details).

Log in your synology and Click on “Admin” and “Options”:


Click on “Enable 2-step verification” and a new window will appear:


Click on “Next”:


Confirm your email and click on “Next”: (this email address will be used to send you the code if you lose your phone)


You need to install the authenticator, I will use Google (I have masked the QR code on the picture). Here are the links to the app in the different devices:


Let’s do this on the iphone. After you download the the app, open it and click on the pen (circled in red on the picture):


Click on the “plus” symbol:


Now you have two choices, either you scan the code, or you input the details manually (see the link in blue in the previous synology step):


Once you have done it, the new account will be registered in your app:


Click “Next” on the synology verification wizard:


And you will be prompted to write the 6-digit number that you see on the app.


And you are done:


What happens now? Well, every time you try to log in as ADMIN, you will have to open your app, retrieve a new code and entering after your normal login procedure:


Lost your phone?

If your mobile device is lost, you can click the Lost phone? link, and an emergency code will be sent to the email address you specified during the set-up:




25 thoughts on “Secure your synology with 2-step verification login

  1. Are you allow to have more that one device to provide the 2-step verification code? The reason for this question if you lose the device and/or if it is broken how are you going to get admin access?


    1. Great question David! If your mobile device is lost, you can click the Lost phone? link (on the login panel), and an emergency code will be sent to the email address you specified when you configure the 2-step verification code.
      I’ll update the instructions.


  2. Hola, he cambiado de teléfono y google authetificator ha dejado de funcionar. He agotado todos los códigos de emergencia y no puedo entrar en mi NAS. ¿Cçomo hago para volver a configurar el teléfono? ¿Como puedo conseguir un nuevo código de emergencia?


  3. I ran into an issue with 2-step enabled when using more than one device with Authenticator app. I first set this up to use my iPhone scanning the QR code and it works great. However I also use my iPad (on the same LAN as my Synology) to access some of my Synology services like DS Download. When I launched DS Get (DS Download) I am prompted to 2-step authenticate. The problem is when I launched Google Authenticator on my iPad it wants me to scan the QR code. I don’t see a way to view the QR code again from the 2-step setup preferences on the Synology. Any suggestion on how to work around this seemingly limitation or am I overlooking something that allows multiple devices to 2-step authenticate using Google Authenticator?


      1. Really just for the occasion that I am using my iPad. Kind of a pain if I’m on my iPad and try to use a Synology app and then have to go and grab my phone to authenticate.
        Does Synology 2-step offer txt message or just use of an Authenticator app? If a txt message is possible then I can use my iPad too.


    1. you can capture the qr code screen or copy the secret key to store both in a very safe place (print it out and keep them in a locked drawer) to set it up on 2nd device for authentication.


  4. If I get a new phone (Android) can I just copy/move the App to the new phone or do I have to install the Authenticator on the other phone?


  5. When you install the Authenticator on a new phone,the best way is to disable two step verification on your NAS.
    Then re-enable it and set it up again on your new phone and scan the QR-code profided.
    I could not find another way to get it working on my new phone.


  6. Hi, I’ve just enabled the 2-step security, and at the time if setup I just print out the QR code and also the manual setup instructions, so I can scan the QR code on different devices (ipad, phone, etc.) or set it up manually. It seems that every time you enable the 2-step the secret key changes, so if you setup the account in one device, and then reset the 2-step security to get again the QR code to scan it in another device the OTP’s are different. Also if you want to include the name of your DS in Google Authenticator, I followed this guide: https://www.edwardthomson.com/blog/changing_titles_in_google_authenticator.html


    1. In addition to Humberto’s good advice, consider using “andOTP” if you have an Android device. That app allows you to securely export all your keys. This provides a backup if your phone breaks, or gets lost. Just import the file into another andOTP installation and all is well. With Google Authentication you are lost if you didn’t record the QR code or manual key at the time you set you the account. Your only choice is reset (non-NAS 2FA accounts may be far more cumbersome to recover).


      1. Xian makes a valid remark – which alludes to Google Authenticator’s limitation (by design) that there is no automated restoration option. Xian mentions “andOTP”, which would allow the user not only to restore 2FA setup on a new device using data backup (without using emergency codes), but more importantly to configure the same 2FA on multiple devices.

        This would help in earlier situation posted by Erik Smith, where he wished to have option to obtain 2FA from either iPhone or iPad.

        Clearly it becomes very important to secure your backup of 2FA configuration, and to have a strong password on this setup. There is a compromise to be had!


  7. I have set up 2FA on my new ds718+, but it only asks for the OTP when logging in to the Synology Desktop, not when I log in to the Roundcube Webmail. Which is a shame because it is the webmail I wanted to protect in the first place, because that can be accessed from the internet (whereas the desktop can only be reached from the home network).


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.