Hi all, it’s been a while since I’ve been here. Wanted to use our common knowledge and testing abilities:
Since a couple of weeks, last major update,I’m discovering lacks of user authentication within the iOS ‘DS xxx’ line.
Already connected with Synology via support and inquiry tickets but lacking responses (less risk awareness?) so maybe you can test and give me and them your feedback to
- am I the only one encountering them?
- is my point of view ‘wrong’ or ‘strange’
- what is good/better/best user authentication and (role)separation for data safety.
- what should/could we expect from Synology
For DS finder3.5.1> no log out (quick button) when logged in (high level access?!), forced to desktop user icon to log out.
Always remembers the user & password, only uses 2FA code when returning, instead of requesting Password && 2FA after user logged out (missing ‘do not remember’ for password field!?).
Same missing ‘do not remember password’ option for other apps.
Seems like the update ‘user verification’ is the less secure one. With current setup the only this between a logged out user and an active session is the 2FA code.
Somehow Synology is now “sharing” machine ID (quickconnect) and usernames between DSx apps on the same device, when logged in to DS finder I can grab that combination to ‘quick fill’ the boxes.
To me it makes sense that:
- logging in means inputting PASSWORD (& 2FA if set)
- ‘we’ have multiple machines with different users for different machines, roles and or needs
- local machine = user level ‘video/sound/photo’, remote/backup is admin level WHEN NEEDED thus logged out after use thus different apps should have separate users.
- logging in steps should be: app PIN, Machine id/ip, username, password, 2FA. With options to ‘please remember my … machine/user/password(?)’ always in that sequence.
- Recently I was able to view photos and folder structure while ignoring the apps request for 2FA.
Good (old) and bad (new) login screens.
Access without verification, via apps with known user but logged out status,
Versions after which ‘less optimized verification’ started and logging out was no longer a standard
Am I wrong when I expect a high level of user verification and separation from a NAS ecosystem vendor?
Which steps in the user verification should be allowed as optional/can be (not) remembered without giving up basic user/data security?