Recover Failed 2-Step Authentication

Primary objective

Use 2-step authentication again.

Secondary objective(s)

Adjust clock to log in with 2-step authentication successfully next time.

Background

DSM6 uses the term 2-step authentication, and DSM7 refers to it as 2-factor authentication, which is a more common term.

The one-time password (OTP) that is used for 2-step authentication is time-based. When there is an offset between the clock of your phone and your NAS, the right OTP does not arrive at the right time. As a result, you are unable to do a 2-step authentication.

You can adjust your NAS’ clock, but you need to log in first. An out-of-sync clock typically happens with NAS devices that are only incidentally powered on. This gives them not enough time to synchronize the time.

Actions

There are several ways to repair this issue. First, you have to log in. I give you four options for that (1A-1D). Next, we sync the clock (2).

1A. Be quick or slow

Login to DSM from your browser with an administrator account. You’re likely to face the same problem. Now you have two options.
One option is to type in the code immediately when available. You wait for the new code to appear, enter it and sign in. If the NAS is approximately one minute ahead, you will succeed.

The second option is the opposite. Enter the OTP but wait until it expires on your phone. Now you sign in. If the clock is approximately one minute behind, you will succeed. You could also wait a little longer in case the clock is more than one minute behind.

If you succeed, continue with step 2. If you failed, continue with step 1B.

1B. Lost phone option

Login to DSM from your browser with an administrator account. Instead of entering the OTP in the second authentication screen, click on the link Lost your phone? You receive an email at the address that is linked to the account that is logging on.

Note that if that user has no email account configured, it will receive no email. You could try another account.

If you succeed, continue with step 2. If you failed, continue with step 1C.

1C. Use SSH

This solution only works if you enabled SSH on your NAS beforehand. Note that it is disabled by default. With SSH you connect to your NAS via a terminal or console application and type in commands. If you have not enabled SSH, or are not familiar with it, skip this option.

Type in the following commands. Note that you might need root privileges unless it is for the user you log in with within SSH.

cd /usr/syno/etc/preference/
mv google_authenticator foogle_authenticator

Now login again via DSM without the need for an OTP.

If you succeed, continue with step 2. If you failed, continue with step 1D.

1D. Mode 1 reset

Take a paperclip and go to the back of your NAS. Look for the reset button. Press the button with the paperclip for about 4 seconds until you hear a beep. Release the button. This will reset several settings, including 2-step authentication for at least the default admin. The default admin has a blanc password now. Log in with that account and change the password when requested.

If you had the default admin account disabled, which is good security practice, disable it again after you finished with the clock sync. Look into this post on NAS reset to check what potentially has been reset with the mode 1 reset and configure these settings again.

Continue with step 2.

2. Sync the clock

After you succeeded in logging in, you open Control Panel > Regional Options > Time Setting and confirm that Synchronize with NTP server is enabled. Click on the Update Now button.

Congrats, you achieved the primary objective.

Leave a Comment

Your email address will not be published. Required fields are marked *