ศูนย์ความรู้

Account

On this tab, there are different methods to protect your DSM accounts from external threats.

2-Factor Authentication (2FA)

2-factor authentication (2FA) provides improved security for DSM user accounts. You can force DSM administrators, all DSM users, or only specific users or groups to enable this service.

To enforce 2FA:

  1. Select Enforce 2-factor authentication for the following users and select the users you want to apply this to.
    • Administrator group users: Select this option to enforce 2FA for users in the administrators group.
    • All users: Select this option to enforce 2FA for all users.
    • Specific users or groups: Select this option and click Settings to select the users or groups to enforce 2FA.
  2. Click Apply to save the settings. When this is applied, users who have not enabled their 2FA will be asked to finish the setup before they can sign in to DSM.

Note:

  • If you have not yet configured 2FA at Personal > Security, the system will ask whether you want to set up and launch the 2FA setup wizard to complete the required settings.
  • Disabling 2FA enforcement here will not affect or disable the 2FA settings of each user. Users can retain their 2FA settings or go to Personal > Security to disable these settings.
  • 2FA also applies to all SSH-related services, such as SSH terminal, SFTP, and rsync with SSH transfer encryption. However, since Hyper Backup and Shared Folder Sync via rsync with SSH transfer encryption do not support 2FA, these two services will not be able to work normally after 2FA is enabled.

Adaptive Multi-Factor Authentication (Adaptive MFA)

With Adaptive Multi-Factor Authentication (Adaptive MFA), users in the administrators group will be asked to complete a second identity verification step if their login attempts are regarded as risky. For admin users who have not enabled 2FA, this feature is enabled by default.

When Adaptive MFA protection is triggered, you will be prompted for a second form of authentication. The following conditions must all be met in order to trigger Adaptive MFA.

  • You use passwords as a Single-Factor Authentication (SFA): You choose to sign in with a password, even if you have configured Approve sign-in or hardware security key.
  • You use an unrecognized/unknown device: This means using brand new devices, an incognito window or a different browser, or signing in after clearing cookies.
  • You are signing in from external network (WAN).
  • You have signed in to a Synology app that supports Adaptive MFA, or you have verified your email address.

To enable Adaptive MFA:

  1. Select Enable Adaptive Multi-Factor Authentication for administrator group users.
  2. Click Apply to save the settings. When this is applied, administrators who only use password to sign in will be protected by Adaptive MFA.

To sign in to DSM with Adaptive MFA:

  1. On the DSM login page, enter your username as usual.
  2. Enter your password and hit Enter or click the right arrow.
  3. If the login attempt is regarded as risky, Adaptive MFA will be triggered. It will prompt you for a second form of authentication. You can verify your identity via either of the following methods:
    • Open a Synology app on your mobile device and tap "Yes, it's me".
    • Retrieve the OTP from your email and enter it on the login page.

To configure your email address:

  1. Go to Personal > Account and enter an email address. If you have previously configured it, the email address is automatically filled in here.
  2. Click Send verification email. Then, check your mailbox and click the link in the email to verify your email address. Completing email verification ensures that a verification code will be in your mailbox when you need it.

You can also configure the email or change it in the future. Simply go to Personal > Account, enter a new email, and verify it again.

Supported Synology apps:

Adaptive MFA is currently supported by the following Synology apps. Once you have updated to DSM 7.2, you can use these apps to receive Adaptive MFA verification requests.

Note:

  • To receive verification codes via email, you must enter a valid email address at Personal > Account and verify it.

Account Protection

Account Protection protects your Synology NAS accounts from untrusted clients that have too many failed login attempts. This helps to minimize the risk of brute-force attacks on your accounts.

To enable account protection:

  1. Select Enable Account Protection.
  2. Enter a value in the Login attempts field and a value in the Within (minutes) field. An untrusted client will be blocked if it exceeds the number of failed login attempts within the specified duration.
  3. For Untrusted clients, enter a value in the Cancel account protection (minutes later) field. The account protection will be canceled after the specified duration.
  4. For Trusted clients, enter a value in the Unblock (minutes later) field. The account protection will be canceled after the specified duration.
  5. Click Apply to save the settings.

To cancel protection of selected accounts:

  1. Click Manage Protected Accounts.
  2. Select the accounts to be canceled and click Cancel Protection.

To unblock trusted clients:

  1. Click Manage Trusted Clients.
  2. Select the clients to be unblocked and click Unblock.
2-Factor Authentication (2FA)
Adaptive Multi-Factor Authentication (Adaptive MFA)
Account Protection