Recover 2FA Admin Account in Synology
I had some issues with two-factor authentication on a Synology NAS. It wasn't recognizing any second factors, so I couldn't log in to my computer.
Luckily for me, I have SSH access with public/private keys in place and full root access to the NAS.
Reset Synology NAS
Synology encourages you to reset the Admin and Network configuration using the RESET button on the hardware itself. This is possible and does work, but is impractical in any way.
For one, you need physical access to the device and, furthermore, you reset everything!
There are a couple of tutorials for removing the authenticator on the NAS. You can browse to
/usr/syno/etc/preferences/[user]/ and remove the file
google authenticator, add another item, or follow other instructions.
This never worked for me. I think this tutorial is outdated and no longer practical for DSM7 and beyond.
Bypassing the user by adding other Admins
Synology adds a couple of custom binaries, which are helpful in this case. After accessing the NAS through SSH (you don't need the second factor there), you can add another user by using the commands
# synouser --add admin_test "ComplexPassword!" "Test Admin" 0 "" 0 # synogroup --get administrators Group Name: [administrators] Group Type: [AUTH_LOCAL] Group ID:  Group Members: 0:[admin] # synogroup --member administrators admin admin_test Group Name: [administrators] Group Type: [AUTH_LOCAL] Group ID:  Group Members: 0:[admin] 1:[admin_test]
You have a custom admin user with the name
admin_test and the Password
ComplexPassword! and no second factor.
Furthermore, you can now disable the OTP for the
admin user via the GUI with the newly generated user.
Does this count as 2FA-Bypass? I am not really sure, because you need high privileges to add another user to the admin group.
But Keep in Mind: If you have SSH enabled on a Synology NAS, you are losing your 2FA.