blackvoid Synology DSM 7 Passwordless sign-in with Apple Safari and Passkeys

With the introduction of macOS Ventura (v.13) as well as the new iOS 16, Apple has also rolled out the new Passkeys features first introduced at WWDC 2022.

Apple's introduction to Passkeys feature in macOS 13 and iOS 16

While Apple is not the only company going down the passwordless route, nor is it the first, it took a bit of time to bring this new password-free future to its customers. It is still not all there, and in order for this to work, many companies, platforms, and hardware need to become compliant with the technology behind it.

There is much to say on this matter, but this article will demonstrate how anyone can use this method to log into the Synology DSM 7 using the passwordless method.

Now it is worth mentioning that this is not the same as logging into your DSM using the new DSM 7 Secure Sign-in method and a proprietary app, but rather utilizing Apple's iCloud Keychain and on-device end-to-end authentication.


Continue reading...

 

[Bill Wilder]

I tried this - all the instructions provided were valid and the passkeys worked fine.

However, unless I'm missing something, enabling this appears to reduce security. You cannot enable passkeys for an account without first removing two-factor access nor is there anything I see that forces passkeys to be the only accepted access. Intruders could then potentially login if they can determine account and password. I do not have my NAS exposed to the internet but given the ransomware players that are active I feel forced to give up passkeys and resume two-factor protection.

Blackvoid - do you have any comments or clarifications? Thanks.

 

[Rusty]

You cannot enable passkeys for an account without first removing two-factor

That is correct. In DSM you can use passwordless authentication or classic with 2FA on top of it.

nor is there anything I see that forces passkeys to be the only accepted access

Also correct. Considering that these 2 options listed below are the ones that will show up in case this was brute-forced from a device that is not the users, means that the login will fall down to username/password combo.

Of course using this passwordless option will also mean that you will have to have some password listed that is known to you in order to be able to log on in case of any trouble with the passwordless method. That password will have to be as secure as possible, but it will indeed be without 2FA.

As I wrote, this method is not officially supported by DSM, but Synology's Secure SignIn method, also "suffers" from the same "problem" in case there is an alternative method of login, considering there is no way to force the passwordless method. Same goes with 2FA, as it falls down to SMS code sending that can be also SIM spoofed.

From my point of view a strong pass with 2FA in this particular case is still the best option, but both methods when not forced will be open to various attack vectors using less secure method of login.

VPN remote access with u/p+2FA would be the best remote access option when it comes to exposing the NAS.

 

[Bill Wilder]

Thanks very much for the clarifications and confirmations. It would be lovely to see passkeys supported as an addition to 2FA.

 

[Rusty]

Thanks very much for the clarifications and confirmations. It would be lovely to see passkeys supported as an addition to 2FA.

It might be an option, but even some 3rd party password managers that support 2FA do not support passwordless.

As I said, this is still kind of a work in progress that has some problems, so best to not use it in "production" configuration atm, especially with DSM as this is not 100% supported on DSM side just yet.