UPDATE: 08/12/2020 - added "Passworless Sign-in" section on the bottom

The new version of DSM 7 will bring a lot of features and some of them will be more visible to the end-user, some will not. The new Secure SignIn is one of those front and center features that will elevate your NAS security by use of a new mobile app for authentification.

Security nowadays is really important and accessing your NAS from the Internet is always a risk no matter how much you try and protect it. With this in mind, we have got yet another option to help us get to our device more securely. Enter Secure SignIn.

Secure SignIn - the good

So what is Secure SignIn? It is a protection element that will once activate, allow you to log into your NAS without the need to use your password, and instead authenticate via your mobile device (using a new Secure SignIn mobile app).

On top of this, the mobile app will also make use of your biometric security features (if your device supports them) and add one more layer of protection.

So how does it work? Well, once you get to your landing page you will enter your username, this will trigger a challenge event towards the mobile app that is paired with your NAS and once you allow the connection, you will log into your NAS. Neat ha?

On top of this, you can still enable 2FA (two-factor authentication) to make things even more secure. Of course, this is not needed but you do have those options. Also, 2FA is there in case you do not want to use the new Secure SignIn.

Both the iOS and Android versions of the mobile authenticator are available so almost every mobile device that can install the app can be used as an authentication device.

The app can be used just like any other mobile authenticator and accept requests from any number of NAS units should you need for it.

Secure SignIn - the bad

UPDATE: the following info is from a DSM7 official Synology webinar that took place on the 22nd of Dec 2020:

Q: Does the Secure SignIn process rely on a cloud service?

A: For the Approve sign-in and Security Key features, the simplest way to set it up would be using Synology's DDNS or QuickConnect, in this case, it will have to connect to the Synology cloud services. However, users can choose not to use the domain services provided.
If users prefer not to use our cloud services, they can still use our features if they can get an available domain for the DSM portal. It requires users to complete more network settings on their own.

At the moment, Secure SignIn works only with QuickConnect or DDNS feature active. What that means is that if you plan on pushing your NAS on the web and use this feature, you will have to authenticate using these two options.

So why is this bad? Well, it is not all bad. If you read the second bullet you will see that you can use your custom domain name to get this function to work.

In External Access you can enter your domain custom name to get to your NAS

This means that in STEP04 (later in the article), the SSI app on your phone will register and use that custom domain name (and port) to access your NAS.

The only downside here is still that if you run your NAS on a custom port (AND YOU SHOULD) you will have to open the port on your router. You would have to do this anyway if you use DDNS, so not that big of a deal.

On top of this, if you are running a reverse proxy, you can configure your public name over 443/https port (something like https://login.yourdomain.com) and point it to your NAS internal IP on a custom port.

In this case, you can have access to your NAS using the same https://login.yourdomain.com URL when accessing it via a web browser, but in case of setting SSI up, the wizard will still add a custom DSM port at the end of your custom domain name (the same port you need to open on your router).

The point of the story is that you can't configure SSI to use simply https://login.yourdomain.com as your configuration while setting it up, even if you do run a reverse proxy. The usage of DSM port is backed in.
NOTE: The sign-in feature generally requires your NAS to have a public IP, domain address, or QuickConnect ID to avoid login problems when your phone and NAS are in different locations. However, if you're sure that you only need to log into the NAS from the local network, you can use a local domain name to process Approve sign-in (by registering the NAS' local IP address to your DNS server)

Still, it is not all bad, if you need this or a similar kind of access in LAN you can still use 2FA on your mobile device to add a secure layer of protection but, you will still have to enter your password first.

All in all, a great addition but with its current demand of using QC or DDNS, forces the user to open up all potential NAS devices to the Internet and on top of that open up any number of ports on the router to make this happen. In case you own more than one device, you will see the problem with this setup and will probably want to return to the conventional method of accessing your NAS (VPN into your LAN for example, or using custom domain name access with 2FA active).

Just so we don't end on a negative note, I just want to make sure that this feature will greatly benefit many users and is by no means a miss in the grand selection of new DSM7 features.

How to configure Secure SignIn

Activating Secure SignIn starts (as stated above) with a valid QC and/or DDNS public address. In the following example, I will use DDNS.

STEP01 - activate DDNS on your NAS

Go to Control Panel > External Access, and then QuickConnect or DDNS tab. Configure them any way you want.

STEP02 - activate Secure SignIn in your user preferences

Activate SSI in user preferences
Start the process

STEP03 - install mobile app

Use the QR code to download the app from the Store and install it

STEP04 - pair your NAS with your mobile device

After you have install the app run it and scan the code

As you can see the configuration and the setup are not really that complicated at all and will be completed in minutes.

Once you have it up and running, authenticating using your phone will be a simple push of a button.

Mobile app, short wizrd and list of NAS devices that have SSI active. Last image simulates authorization using SSI
Example of Synology Secure SignIn in action

Passwordless Sign-in options

With DSM 7 public beta, Synology has expanded on the Single SignIn feature, offering a few more options to log in without the needs of your password, as well as more alternatives to 2FA.

DSM 7 (public beta) Sign-in options

Now we have option to log in paswordless or still use 2FA if we choose to. The cool thing is that on top of the new Secure SignIn mobile app, you can use a hardware based option. These include:

  • USB key
  • Windows Hello (this is in the description but actually not an option atm)
  • macOS TouchID
New login options

When selecting Hardware security key option, you will first need to authenticate with your DSM password in order to move forward.

Then you will have an option to set up either by using the USB key, or TouchID.

Considering that I have no USB keys on hand I tested if TouchID also ment that Watch unlock will also work.

No Watch support, just pure TouchID

However, Watch is not supported, so you will have to use a proper HW implemented TouchID on your native macOS client. Still, an excellent way to login into your NAS!

Let me know what you think of Secure SignIn below in the comments, and if you use it or not. Also, are there any potential problems that you see with this service at the moment and if there are any deal-breakers for you?