Set up passwordless authentication (for admins)

Set up passwordless authentication (for admins)

Passwordless authentication brings extra security and convenience to your identity access management. With this feature, there is no need to remember or enter passwords. C2 Identity users can authenticate via safer methods like authenticator apps. This not only prevents password breaches but eases the burden on IT to keep passwords protected.

This article introduces passwordless sign-in options and settings in the admin portal. To manage your account, refer to Protect your C2 Identity account with passwordless authentication.

Sign-in options

C2 Identity users have three ways to sign in without using their account password:

  • Approve sign-in: Tap a notification in Synology Secure SignIn to confirm identity.
  • TOTP: Enter a time-limited temporary passcode from Synology Secure SignIn.
  • App password: Use a passcode from the user portal for services that don't support passwordless authentication.

The following table shows the passwordless sign-in options available for your services. Note that options marked with an asterisk (*) require configurations in the admin portal.

Services

Passwordless Sign-in Options

  • Cloud services, such as:
    • C2 Identity
    • Microsoft 365
    • Google Workspace
  • Approve sign-in
  • Internal services, such as
    • Synology MailPlus
    • Synology Drive
    • Synology Chat (webpage)1
  • With Internet access: TOTP along with approve sign-in, or simply approve sign-in*
  • Without Internet access: TOTP*
  • Devices, such as:
    • Windows devices
  • With Internet access: TOTP* or approve sign-in
  • Without Internet access: TOTP*
  • Services that don't support passwordless authentication, such as
    • Wi-Fi
    • SMB servers
  • App password

Passwordless management

Passwordless authentication can be enabled by each user. It can also be enforced through the options in the C2 Identity admin portal > Settings > Passwordless:

Deploy passwordless authentication

Select Enforce passwordless sign-in, which forces users to enable passwordless authentication for their account. Passwords and 2-factor authentication will be deactivated.

Manage sign-in options for edge servers

To ensure secure access to your internal services integrated with edge servers, configure the following options:

  • Sign-in options
    • TOTP + approve sign-in: Users need to enter a TOTP in the password field and approve a sign-in request.
    • Approve sign-in: Users only need to approve a sign-in request. The password field can be blank or can contain any value.
  • Allow offline sign-ins via TOTP: Users can access offline edge server services only when this option is enabled.
  • Allow app password customization: App passwords can be customized. However, since this can make your account vulnerable to attack, we don't suggest enabling this option.

Manage TOTP for devices

TOTP authentication doesn't require an Internet connection.2 If your team members need to access devices (e.g., Windows computers) without Internet access, select Allow Windows sign-ins via TOTP.

Notes:

  1. The Synology Chat mobile app doesn't support approve sign-in. Refer to this article for a complete support list.
  2. To sign in to an offline device via TOTP, this device must connect to the Internet once after startup.
  3. Passwordless authentication is currently unavailable for Macs and the following Windows services:
    • Remote Desktop (RDP)
    • User Account Control (UAC)
    • SSH
Sign-in options
Passwordless management
Deploy passwordless authentication
Manage sign-in options for edge servers
Manage TOTP for devices
Further reading