Recover 2FA Admin Account in Synology
I had some issues with two-factor authentication on a Synology NAS. It wasn't recognizing any second factors, so I couldn't log in to my computer.
Luckily for me, I have SSH access with public/private keys in place and full root access to the NAS.
Reset Synology NAS
Synology encourages you to reset the Admin and Network configuration using the RESET button on the hardware itself. This is possible and does work, but is impractical in any way.
For one, you need physical access to the device and, furthermore, you reset everything!
Disabling Authenticator
There are a couple of tutorials for removing the authenticator on the NAS. You can browse to /usr/syno/etc/preferences/[user]/ and remove the file google authenticator, add another item, or follow other instructions.
This never worked for me. I think this tutorial is outdated and no longer practical for DSM7 and beyond.
Bypassing the user by adding other Admins
Synology adds a couple of custom binaries, which are helpful in this case. After accessing the NAS through SSH (you don't need the second factor there), you can add another user by using the commands synouser and synogroup.
# synouser --add admin_test "ComplexPassword!" "Test Admin" 0 "" 0
# synogroup --get administrators
Group Name: [administrators]
Group Type: [AUTH_LOCAL]
Group ID: [101]
Group Members:
0:[admin]
# synogroup --member administrators admin admin_test
Group Name: [administrators]
Group Type: [AUTH_LOCAL]
Group ID: [101]
Group Members:
0:[admin]
1:[admin_test]
You have a custom admin user with the name admin_test and the Password ComplexPassword! and no second factor.
Furthermore, you can now disable the OTP for the admin user via the GUI with the newly generated user.
Does this count as 2FA-Bypass? I am not really sure, because you need high privileges to add another user to the admin group.
But Keep in Mind: If you have SSH enabled on a Synology NAS, you are losing your 2FA.