How To Recover Failed 2-Factor Authentication

This post is donation-ware. If it did help you, please consider leaving a comment or even buying me a coffee. I will be eternally grateful.

Primary objective

Recover failed 2-factor authentication again.

Secondary objective(s)

Adjust clock to log in with 2-factor authentication successfully next time.

Background

DSM6 uses the term 2-step verification, and DSM7 refers to it as 2-factor authentication, a more common name.

The one-time password (OTP) used for 2-step authentication is time-based. When there is an offset between the clock of your phone and your NAS, the right OTP does not arrive at the right time. As a result, you are unable to do a 2-step authentication.

You can adjust your NAS clock, but you need to log in first. An out-of-sync clock typically happens with NAS devices that are only incidentally powered on. This gives them not enough time to synchronize the time.

Actions

There are several ways to repair this issue. First, you have to log in. I give you four options for that (1A-1D). Next, we sync the clock (2).

1A. Be quick or slow

Login to DSM from your browser with an administrator account. You’re likely to face the same problem. Now you have two options.
One option is to type in the code immediately when available. You wait for the new code to appear, enter it and sign in. If the NAS is approximately one minute ahead, you will succeed.

The second option is the opposite. Enter the OTP but wait until it expires on your phone. Now you sign in. If the clock is approximately one minute behind, you will succeed. You could also wait a little longer in case the clock is more than one minute behind.

If you succeed, continue with step 2. If you fail, continue with step 1B.

1B. Lost phone option

Login to DSM from your browser with an administrator account. Instead of entering the OTP in the second authentication screen, click on the link Lost your phone? You receive an email at the address that is linked to the account that is logging on.

Note that if that user has no email account configured, it will receive no email. You could try another user account.

If you succeed, continue with step 2. If you fail, continue with step 1C.

1C. Use SSH

This solution only works if you enabled SSH on your NAS beforehand. Note that it is disabled by default. You connect to your NAS via a terminal or console application and type in commands with SSH. If you have not enabled SSH, or are not familiar with it, skip this option.

Type in the following commands. You might need root privileges unless it is for the user you log in with within SSH.

cd /usr/syno/etc/preference/
mv google_authenticator foogle_authenticator

Now login again via DSM without the need for an OTP.

If you succeed, continue with step 2. If you fail, continue with step 1D.

1D. Mode 1 reset

Take a paperclip and go to the back of your NAS. Look for the reset button. Press the button with the paperclip for about 4 seconds until you hear a beep. Release the button. This will reset several settings, including 2-step authentication for at least the default admin. The default admin has a blanc password now. Log in with that account and change the password when requested.

If you had the default admin account disabled, which is good security practice, disable it again after you finished with the clock sync. Look into this post on NAS reset to check what potentially has been reset with the mode 1 reset and configure these settings again.

Continue with step 2.

2. Sync the clock

After you have succeeded in logging in, you open Control Panel > Regional Options > Time Setting and confirm that Synchronize with NTP server is enabled. Click on the Update Now button.

Congrats, you achieved the primary objective. Please also reference Better Synology User Management.

Thanks for reading