With the introduction of macOS Ventura (v.13) as well as the new iOS 16, Apple has also rolled out the new Passkeys features first introduced at WWDC 2022.

Apple's introduction to Passkeys feature in macOS 13 and iOS 16

While Apple is not the only company going down the passwordless route, nor is it the first, it took a bit of time to bring this new password-free future to its customers. It is still not all there, and in order for this to work, many companies, platforms, and hardware need to become compliant with the technology behind it.

There is much to say on this matter, but this article will demonstrate how anyone can use this method to log into the Synology DSM 7 using the passwordless method.

Now it is worth mentioning that this is not the same as logging into your DSM using the new DSM 7 Secure Sign-in method and a proprietary app, but rather utilizing Apple's iCloud Keychain and on-device end-to-end authentication.

Enable Password & Keychain feature on your devices

In order for this feature to work there are two major steps that need to be done. First, there is a need to enable the iCloud Password & Keychain feature on macOS and/or iOS.

Going into System Preferences on a Mac (or iOS), and then into Apple ID > iCloud settings will allow for the feature to be turned on.

Enable Password & Keychain setting on macOS (left) and iOS (right)

Now that the devices are in sync, any account and its passkey will be exchanged and accessible on any device, no matter where you try and authenticate.

Passkey's private key for each login will always be stored on the device, so there will be no fear of exploiting the password in the first place. Also, in order to log into the site or services protected by passkeys, TouchID or FaceID will be used to authorize it. So with biometrics in place, and the fact that no password will be typed, the security aspect of login is increasing exponentially.

Configure a passwordless login method inside the DSM profile

⚠️
Keep in mind that this feature is not officially supported by Synology and DSM and also the naming of the feature is not advertised as such, but it does in fact work.

In order to configure this method, first log into DSM as a user on which there is a need to activate a passwordless login. Next, go into the personal profile setting using the top right profile icon menu.

Under the Account tab, there will be a Sign-in Method section with several options. The first one is the passwordless one and the other is a "classic" 2-factor authentication.

Select the Passwordless sign-in option to start
⚠️
In order for this to work, the DSM instance needs to be running over a valid HTTPS protocol and domain name (custom or Synology-branded one).

Since DSM 7 came out there were already several ways to use this login method. Windows Hello, TouchID, or a 3rd party USB hardware key.

In any event, this is the method that will be used in this particular case.

The option for hardware security key needs to be selected
Enter the current account password for verification

The next step will ask about the type of hardware key. With the latest version of DSM, there is now an option to use Face ID on top of Touch ID as a hardware mechanism. Select the second option and proceed forward.

Select the Touch ID/ Face ID option

The following step will offer us the option to save the credentials into the iCloud Keychain. Confirm that and move into the next step.

Verify for the accounts credentials to be saved into iCloud Keychain

That's it! All done, and the account is ready to be accessed without the need to type in a password.

All done. Save the setting and test it out

How to use Passkey on a Mac or iOS device?

In order to log into a site protected with the Passkeys mechanism, simply visit it and enter the username (depending on the site it might be an email address as well).

The browser will detect the passwordless method for the account and offer several options.

Enter the DSM account and move to the next step
Either continue or choose sing-in options

Depending on what device the site is being accessed, it might not have the credentials listed, so alternative sign-in options will be needed. For example, if we are accessing the site on a non-Apple device authorization via iPhone (or any iCloud-compatible device) will be needed.

If there is a need to use the passkey from another device select this option

The result of that will be a challenge that will be sent to a compatible device with a private key needed to sign the request. This will be a QR code that can be scanned with a camera. Finally, FaceID or any compatible biometrics on the device will sign the request and allow for the login to happen.

Scan the QR code to log into DSM

There we have it. A valid passwordless login method without using a USB key, or Synology's own Secure SignIn option. Also, this process does not include 2FA as it is considered more secure, but it will include the need to use the iCloud Keychain feature.

Problems using this unsupported method

⚠️
Be aware that this method can't be forced so make sure to always have a separate and complex password for your account in case you need to log into your NAS!

While this method works fine for a device that has iCloud Keychain active, in case that will not be possible, for example accessing the site on a computer that is not an Apple device or a Mac with no iCloud Keychain feature active, there will be problems logging in.

For one, the popup for multiple sing-in devices will not appear. This means that it will not be possible to access the site using a mobile device in order to scan the QR code.

To get out of this, DSM will offer to log in using just a password. This means that all the powerful and secret encryption will be worthless including any biometrics as well. What this means is if an account will be brute-forced, the attacked will only have to get past the account's password to log in.

As said before, there is no way to force the passwordless method in DSM, be mindful of this fact. That in combination with this mentioned issue means that the best way to log in for the moment will be to use the official supported methods. Secure SignIn, or 2FA method using any supported password/MFA manager.

If this is not something that anyone is willing to do, there is always a way of using 3rd party self-hosted password manager with its 2FA feature (like Bitwarden). In any event, anything more complex than 12345 as a password will do, but it all depends on how much anyone values their privacy and wants to protect access to their data.