How can I enable the 2MFA/MFA or even the passwordless login for my QNAP QTS securely?
Because when I click on the entry above, I cannot click on the enable:
Is your NAS in an environment that password stealing would be an issue ?
1 Like
And weren’t you asking about having your NAS completely blocked from accessing anything to do with the internet? I don’t know if MFA apps will work w/o the NAS having access to the internet.
1 Like
@NA9D ,
Yes, that is correct, I am trying to implement the Zero Trust and passwordless security best practice for my NAS.
@dolbyman ,
Possibly, because my NAS is connected to the network and the QNAP NAS has the capability to browse the internet or at least can do outbound connection for the time being.
Well, if you are completely not on the internet, then I don’t think MFA is going to work.
So if you want to use 2-step verification or passwordless login, then your NAS will need to have access to the internet. You will need to use the QNAP Authenticator app to provide the authentication code (You may be able to use other Authenticator apps as well.
Looking at your original post, the reason you cannot enable this is because your admin account is disabled. You will need to enable your admin account in order to use it. There’s no reason to have your admin account disabled if your NAS is not accessible from the internet.
Or you will need another account with admin access enabled all for recovery.
No need to worry about outbound connections.
2FA (on QNAP) creates more issues than it solves, even more so if one of the devices has the system clock drift too far. (if it cannot sync via NTP)
If an attacker can just push the reset button on your NAS or simply take your drives out, 2FA is the least of your worries.
1 Like
I mean yes he can’t enable 2FA on a disabled account.
But that’s not a reason to enable the admin account. My admin account still doesn’t even have a password after months of NAS use because I used the account the startup wizard made for me.
I have never needed to enable admin to use my NAS.
There is some maintenance commands that do not work with sudo, so best to always keep your admin user on. (In case you need to fix stuff via SSH)
[weedy@TheVault ~]$ sudo bash
Password:
[admin@TheVault weedy]# id
uid=0(root) gid=0(root) groups=0(root),100
Will never enable admin. I refuse.
Why? Users with disabled admin accounts still were hacked via user UID0 (see deadbolt). So disabling that is hindering yourself, not attackers.
Deadbolt was from having WAN accessible NAS and old software. (Also QNAP being dumb)
I have AMIZ, Clamav, CS, Malware remover, and Security Centre installed.
The rest is me playing in docker.
Nothing should get to my NAS without VPN, and I’m running as little QNAP code as I can.
By the time I bother to open a ssh client and type 192.168.xxxxxxx, sudo bash is same level of effort. I don’t even think about it.