11/16/23, 10:42 AM 2-Factor Authentication | DSM - Synology Knowledge Center

DiskStation Manager Synology Router Manager Unified Control

2-Factor Authentication (2FA)

You may set up 2-factor authentication (2FA) for your DSM account. By making a
second identity verification step mandatory, you add an extra layer of protection
to safeguard your account and create a barrier to hacking.
2FA can be enforced on DSM and all related Synology apps (e.g., DS finder and
DS file). Most of Synology services, including packages, mobile apps, and utilities,
support 2FA. However, some services may not fully support this function. (Learn
more)
Supported sign-in methods
Supported methods for the second sign-in step:
Approve sign-in
Verification code (OTP)
Hardware security key
Note:
We recommend downloading Synology Secure SignIn (a mobile app
available on both Android and iOS) for setting up 2FA. You may also use
3rd party authentication apps, such as Google Authenticator, as long as
they support the Time-based One-Time Password (TOTP) protocol
used by DSM.

Set up 2FA
Approve sign-in or Hardware security key
Approve sign-in and hardware security key support web logins only. If you are
using Approve sign-in or hardware security key, we recommend setting up OTP
as a backup sign-in method.
To set up Approve sign-in or hardware security key:
https://kb.synology.com/en-ca/DSM/help/DSM/SecureSignIn/2factor_authentication?version=7 1/4
11/16/23, 10:42 AM 2-Factor Authentication | DSM - Synology Knowledge Center

1. Go to DSM > Personal > Security, and click 2-Factor Authentication.

2. Follow the instructions in Approve sign-in or Hardware Security Key.
OTP
OTP setup is mandatory if you're using Synology mobile apps or utilities, because
Approve sign-in and hardware security key support web login only. We also
recommend setting up OTP as it works when there is no Internet service.
To set up OTP:
1. Go to DSM > Personal > Security, and click 2-Factor Authentication.
2. Select Verification code (OTP), enter your password, and follow the
instructions in the setup wizard.
3. When prompted, download and install Synology Secure SignIn (available
on both Android and iOS) or any 3rd party authentication app on your mobile
device. Open the authenticator app and scan the QR code on the screen.
Your authenticator app then generates a 6-digit verification code.
If you cannot scan the QR code, click the Can't scan it link in the wizard
to obtain a secret key, and enter the secret key into the authenticator
app.
4. In DSM, enter this code into the text field in the wizard. Click Next.
5. Confirm Backup e-mail settings. If you lose your paired device, you can
request a verification code to be sent to this email address.
If you have already configured an email address at DSM > Personal >
Account, the email address is automatically filled in here. Make sure to
verify the email address if you haven't done so.
6. Click Send verification email. Then, check your mailbox and click the link in
the email to verify your email address. Once verified, return to DSM and
continue the OTP setup.
7. Once the setup wizard is finished, click Done to save the settings.
8. If you have successfully completed the verification code setup, 2FA is
enabled.
Note:
If there is an error with the verification code, make sure the system time
of your mobile device and that of DSM are synchronized. Additionally,
make sure the code you entered has not expired.
To verify your email address:
Once you have configured and verified an email address, you can request a
verification code to be sent to the verified email address if you lose your paired
Knowledge Center
https://kb.synology.com/en-ca/DSM/help/DSM/SecureSignIn/2factor_authentication?version=7 2/4
11/16/23, 10:42 AM
Knowledge
device. You can then Centerto sign in to DSM.
use this code
2-Factor Authentication | DSM - Synology Knowledge Center

1. Go to DSM > Personal > Account.

2. Click Send verification mail.
3. Check your mailbox and click the link in the email to verify your email
address.
Sign in to DSM with 2FA
When 2FA is enabled, you will be prompted to use Approve sign-in, a hardware
security key, or enter an OTP code when signing in to DSM.
To sign in to DSM with 2-factor authentication (2FA):
1. On the DSM login page, enter your username as usual.
2. Enter your password and hit Enter or click the right arrow.
3. The system will prompt you to use the default method for the second step of
identity verification. Follow the on-screen instructions.
4. You can also click Try another sign-in method to use another sign-in
method.
5. If you are unable to use any of the sign-in methods or your mobile device is
lost, click the Lost your mobile device? link, and a verification code will be
sent to your email address.
Note:
To receive verification codes via email, you must enter a valid email
address at Personal > Account and verify it. Alternatively, you can
configure a sender at Control Panel > Notification > Email.

Manage 2FA settings

To disable 2-factor authentication (2FA):
To disable 2FA, go to DSM > Personal > Security > 2-Factor Authentication,
enter your password, and click Turn Off. Disabling 2FA does not remove
configured devices for Approve sign-in and 2FA. You can continue to use the
configured devices next time you enable this function.
Note:
If you are unable to sign in to DSM, refer to this article.
To manage trusted devices:
https://kb.synology.com/en-ca/DSM/help/DSM/SecureSignIn/2factor_authentication?version=7 3/4
11/16/23, 10:42 AM 2-Factor Authentication | DSM - Synology Knowledge Center

When you sign in from a trusted device, your Synology NAS will not prompt for a
second verification step.
1. Go to DSM > Personal > Account > 2-Factor Authentication > Manage
Trusted Devices > Manage.
Click Remember this device to have your Synology NAS trust the
device you signed in with. If a device has already obtained trust, you
may click Revoke if you no longer want to remember it.
Click Revoke Other Devices to stop remembering other devices which
have been remembered, such as other computers or mobile devices.
This means that 2FA is required when you sign in to DSM on these
devices.
Note:
Remembered devices are recognized only when you sign in with the
same account and from the same browser. You are required to go
through 2FA in the following scenarios even if you have previously
marked a device as remembered:
You sign in with the same account but on a different browser.
You have cleared cookies from the browser.
You mark a device as remembered when signing in as User A, and
then mark the same device as remembered when signing in as User
B. When you sign in as User A again, you are still required to go
through 2FA.

Was this article helpful? Yes ／ No

Copyright © 2023 Synology Inc. All rights reserved.

Terms & Conditions | Privacy | Cookie Preference |  Canada - English

https://kb.synology.com/en-ca/DSM/help/DSM/SecureSignIn/2factor_authentication?version=7 4/4