To add a layer of security to your synology, you can enable 2-step verification. Here is how you do it:
You will need either:
- an iphone or ipad to install an authenticator app
- or an android phone
- or a blackberry, to be able to authenticate yourself. (Continue reading for more details).
Log in your synology and Click on “Admin” and “Options”:
Click on “Enable 2-step verification” and a new window will appear:
Click on “Next”:
Confirm your email and click on “Next”: (this email address will be used to send you the code if you lose your phone)
You need to install the authenticator, I will use Google (I have masked the QR code on the picture). Here are the links to the app in the different devices:
- an iphone or ipad to install an authenticator app
- or an android phone
- or a blackberry
Let’s do this on the iphone. After you download the the app, open it and click on the pen (circled in red on the picture):
Click on the “plus” symbol:
Now you have two choices, either you scan the code, or you input the details manually (see the link in blue in the previous synology step):
Once you have done it, the new account will be registered in your app:
Click “Next” on the synology verification wizard:
And you will be prompted to write the 6-digit number that you see on the app.
And you are done:
What happens now? Well, every time you try to log in as ADMIN, you will have to open your app, retrieve a new code and entering after your normal login procedure:
Lost your phone?
If your mobile device is lost, you can click the Lost phone? link, and an emergency code will be sent to the email address you specified during the set-up:
Enjoy!
Synoguide 
Are you allow to have more that one device to provide the 2-step verification code? The reason for this question if you lose the device and/or if it is broken how are you going to get admin access?
LikeLike
Great question David! If your mobile device is lost, you can click the Lost phone? link (on the login panel), and an emergency code will be sent to the email address you specified when you configure the 2-step verification code.
I’ll update the instructions.
Ruth
LikeLike
New phone. Away on business. Clicked lost phone. Email “sent”, but haven’t received it! How can I login?
LikeLike
Hi Matt,
Do you have another account with admin access you can use to login?
Are you sure you checked the right email address?
Mnmm, you can try to reset your password: https://synoguide.com/reset-admin-password-synology/ But for this you need access to your device. Your wife perhaps?
Ruth
LikeLike
Hola, he cambiado de teléfono y google authetificator ha dejado de funcionar. He agotado todos los códigos de emergencia y no puedo entrar en mi NAS. ¿Cçomo hago para volver a configurar el teléfono? ¿Como puedo conseguir un nuevo código de emergencia?
LikeLike
Hola Miguel,
Necesitas resetear tu NaS:
Noté that resetting you NAS doesn’t wipe it, just resets some of the configuration items including network config, admin password and disables 2-step authentication).
Una guia para resetear tu Nas:
https://synoguide.com/reset-admin-password-synology/
LikeLiked by 1 person
I ran into an issue with 2-step enabled when using more than one device with Authenticator app. I first set this up to use my iPhone scanning the QR code and it works great. However I also use my iPad (on the same LAN as my Synology) to access some of my Synology services like DS Download. When I launched DS Get (DS Download) I am prompted to 2-step authenticate. The problem is when I launched Google Authenticator on my iPad it wants me to scan the QR code. I don’t see a way to view the QR code again from the 2-step setup preferences on the Synology. Any suggestion on how to work around this seemingly limitation or am I overlooking something that allows multiple devices to 2-step authenticate using Google Authenticator?
LikeLike
Hi Erik, I use only the Authenticator on my phone to login everywhere. Why do you want to have another one on your iPad? /Ruth
LikeLike
Really just for the occasion that I am using my iPad. Kind of a pain if I’m on my iPad and try to use a Synology app and then have to go and grab my phone to authenticate.
Does Synology 2-step offer txt message or just use of an Authenticator app? If a txt message is possible then I can use my iPad too.
LikeLike
I am not aware that is possible, but that doesn’t mean that it is not 😉
/Ruth
LikeLike
You must scan the QR code using both devices at the time of setup.
LikeLike
you can capture the qr code screen or copy the secret key to store both in a very safe place (print it out and keep them in a locked drawer) to set it up on 2nd device for authentication.
LikeLike
Mmmm printing passwords is risky… you can get emergency codes to get it working on a new phone. That is safer IMO.
/Ruth
LikeLike
If I get a new phone (Android) can I just copy/move the App to the new phone or do I have to install the Authenticator on the other phone?
LikeLike
You have to install the Authenticator in the new phone.
Is it you ?
LikeLike
When you install the Authenticator on a new phone,the best way is to disable two step verification on your NAS.
Then re-enable it and set it up again on your new phone and scan the QR-code profided.
I could not find another way to get it working on my new phone.
LikeLike
Thanks for sharing 🙂
/Ruth
LikeLike
Hi, I’ve just enabled the 2-step security, and at the time if setup I just print out the QR code and also the manual setup instructions, so I can scan the QR code on different devices (ipad, phone, etc.) or set it up manually. It seems that every time you enable the 2-step the secret key changes, so if you setup the account in one device, and then reset the 2-step security to get again the QR code to scan it in another device the OTP’s are different. Also if you want to include the name of your DS in Google Authenticator, I followed this guide: https://www.edwardthomson.com/blog/changing_titles_in_google_authenticator.html
LikeLike
Thanks for sharing!
/Ruth
LikeLike
In addition to Humberto’s good advice, consider using “andOTP” if you have an Android device. That app allows you to securely export all your keys. This provides a backup if your phone breaks, or gets lost. Just import the file into another andOTP installation and all is well. With Google Authentication you are lost if you didn’t record the QR code or manual key at the time you set you the account. Your only choice is reset (non-NAS 2FA accounts may be far more cumbersome to recover).
LikeLike
Hi Xian,
No need to reset your password if you lose your phone. Just use the emergency codes to login in your NAS and to set the Authenticator in your new phone.
/Ruth
LikeLike
Xian makes a valid remark – which alludes to Google Authenticator’s limitation (by design) that there is no automated restoration option. Xian mentions “andOTP”, which would allow the user not only to restore 2FA setup on a new device using data backup (without using emergency codes), but more importantly to configure the same 2FA on multiple devices.
This would help in earlier situation posted by Erik Smith, where he wished to have option to obtain 2FA from either iPhone or iPad.
Clearly it becomes very important to secure your backup of 2FA configuration, and to have a strong password on this setup. There is a compromise to be had!
LikeLike
Does each user have to go thru the Authenticator process? They do not have admin access.
LikeLike
No, you decide if you want to force all users to use it or not.
/Ruth
LikeLike
I have set up 2FA on my new ds718+, but it only asks for the OTP when logging in to the Synology Desktop, not when I log in to the Roundcube Webmail. Which is a shame because it is the webmail I wanted to protect in the first place, because that can be accessed from the internet (whereas the desktop can only be reached from the home network).
LikeLike