With the introduction of macOS Ventura (v.13) as well as the new iOS 16, Apple has also rolled out the new Passkeys features first introduced at WWDC 2022.
While Apple is not the only company going down the passwordless route, nor is it the first, it took a bit of time to bring this new password-free future to its customers. It is still not all there, and in order for this to work, many companies, platforms, and hardware need to become compliant with the technology behind it.
There is much to say on this matter, but this article will demonstrate how anyone can use this method to log into the Synology DSM 7 using the passwordless method.
Now it is worth mentioning that this is not the same as logging into your DSM using the new DSM 7 Secure Sign-in method and a proprietary app, but rather utilizing Apple's iCloud Keychain and on-device end-to-end authentication.
Enable Password & Keychain feature on your devices
In order for this feature to work there are two major steps that need to be done. First, there is a need to enable the iCloud Password & Keychain feature on macOS and/or iOS.
Going into System Preferences on a Mac (or iOS), and then into Apple ID > iCloud settings will allow for the feature to be turned on.
Now that the devices are in sync, any account and its passkey will be exchanged and accessible on any device, no matter where you try and authenticate.
Passkey's private key for each login will always be stored on the device, so there will be no fear of exploiting the password in the first place. Also, in order to log into the site or services protected by passkeys, TouchID or FaceID will be used to authorize it. So with biometrics in place, and the fact that no password will be typed, the security aspect of login is increasing exponentially.
Configure a passwordless login method inside the DSM profile
In order to configure this method, first log into DSM as a user on which there is a need to activate a passwordless login. Next, go into the personal profile setting using the top right profile icon menu.
Under the Account tab, there will be a Sign-in Method section with several options. The first one is the passwordless one and the other is a "classic" 2-factor authentication.
Since DSM 7 came out there were already several ways to use this login method. Windows Hello, TouchID, or a 3rd party USB hardware key.
In any event, this is the method that will be used in this particular case.
The next step will ask about the type of hardware key. With the latest version of DSM, there is now an option to use Face ID on top of Touch ID as a hardware mechanism. Select the second option and proceed forward.
The following step will offer us the option to save the credentials into the iCloud Keychain. Confirm that and move into the next step.
That's it! All done, and the account is ready to be accessed without the need to type in a password.
How to use Passkey on a Mac or iOS device?
In order to log into a site protected with the Passkeys mechanism, simply visit it and enter the username (depending on the site it might be an email address as well).
The browser will detect the passwordless method for the account and offer several options.
Depending on what device the site is being accessed, it might not have the credentials listed, so alternative sign-in options will be needed. For example, if we are accessing the site on a non-Apple device authorization via iPhone (or any iCloud-compatible device) will be needed.
The result of that will be a challenge that will be sent to a compatible device with a private key needed to sign the request. This will be a QR code that can be scanned with a camera. Finally, FaceID or any compatible biometrics on the device will sign the request and allow for the login to happen.
There we have it. A valid passwordless login method without using a USB key, or Synology's own Secure SignIn option. Also, this process does not include 2FA as it is considered more secure, but it will include the need to use the iCloud Keychain feature.
Problems using this unsupported method
While this method works fine for a device that has iCloud Keychain active, in case that will not be possible, for example accessing the site on a computer that is not an Apple device or a Mac with no iCloud Keychain feature active, there will be problems logging in.
For one, the popup for multiple sing-in devices will not appear. This means that it will not be possible to access the site using a mobile device in order to scan the QR code.
To get out of this, DSM will offer to log in using just a password. This means that all the powerful and secret encryption will be worthless including any biometrics as well. What this means is if an account will be brute-forced, the attacked will only have to get past the account's password to log in.
As said before, there is no way to force the passwordless method in DSM, be mindful of this fact. That in combination with this mentioned issue means that the best way to log in for the moment will be to use the official supported methods. Secure SignIn, or 2FA method using any supported password/MFA manager.
If this is not something that anyone is willing to do, there is always a way of using 3rd party self-hosted password manager with its 2FA feature (like Bitwarden). In any event, anything more complex than 12345 as a password will do, but it all depends on how much anyone values their privacy and wants to protect access to their data.