Genuine question: does MFA conceptually make any sense for a device on your local network, accessed locally?
I understand why you'd want it if trying to access your NAS from the internet, while traveling. (And in which case, if the internet is down, you can't access it anyways.)
But I'm struggling to understand why you'd ever want to enable MFA for signing into a device on your LAN. If it's on your LAN, you probably have physical access to it, and that's basically a factor in itself. Not "something you have", but "where you are" (or I guess it is "something you have" -- the device itself).
I've only encountered MFA before as something to protect remote account access. None of my other local devices support MFA -- I don't use it to unlock my phone, or my encrypted hard drive. So supporting it for local NAS access seems a bit unexpected.
Lots of companies do in fact treat MFA this way. Microsoft's AAD^H^H^H sorry, Entra ID has conditional access rules that forgo the need for MFA when signing in from known locations, and lots of companies make use of that.
But it's becoming more and more popular, and in many cases necessary, to adopt a "zero-trust" approach to all devices no matter where they are located.
That login attempt coming from your office LAN — how do you know it isn't an automated request from a compromised device? If you are enough of a high-value target, do you think it's inconceivable that someone might try and hop on your wifi network from the parking lot?
I might have the MFA devise built into the Synology, were I designing it myself.
Just a little 7-segment LCD on the front of the cabinet. Those are what a buck or two, and my 8-bay cost about $1000... it's not a big additional cost.
If you can input the number on that, you're provably local. I don't know if that truly solves the problem, a high-value target might have someone posing as an outside contractor to get an eyeball on it, I guess. But for me at home, it'd be sufficient protection.
Some important context: about 6-ish years ago, Synology's OS got hacked from the wild. I think this was before ransomware, but either way, they got a black eye. Only to have another black eye a year or so later when a generation of their boards was hit by an Intel Atom defect, requiring a recall. My guess is the token is to assuage people's concerns who might not otherwise trust them. (I owned a DS1815 and it was an awesome turn-key NAS, even with the Intel defect the RMA was smooth and fast)
Somehow this reminds me about the famous "I can do rsync and FTP, why do I need Dropbox" comment:)
MFA is basically protecting the system when one of the factors (e.g. password) is compromised. It's not about how many network hops there are between you and the system.
A lot of folks think the house and LAN are private, but that's not always true. Your Wi-Fi signal can be picked up from outside the house, someone can unplug your outdoor camera and plug the ethernet cable into something else. When you have a guest, they may need to connect to your Wi-Fi with some random smartphone loaded with 200 random apps.
If you care about security, then you know you can't have it with network segments. Zero trust model is getting more popular in enterprise world. Maybe it still sounds like too much work for a homelab today, but technologies are getting more and more approachable every single day. Comparing to 20 years ago, now I have VM and containers to isolate processes, letsencrypt to encrypt HTTP, my NAS encrypt the whole RAID with a single click... and of course, a software that does MFA effortlessly.
Having a secure authentication system helps me sleep better at night, because I don't worry about something bad may happen just because I can't ensure my home network to be 100% free of malicious human/devices/processes...
> But I'm struggling to understand why you'd ever want to enable MFA for signing into a device on your LAN.
I concur wholeheartedly. I had it enabled on my Synology NAS and the damn thing required me to use MFA every time I logged in - zero memory of the device! Drove me crazy and my only option was to turn off MFA altogether.
> If it's on your LAN, you probably have physical access to it and that's basically a factor in itself.
Just because it's a LAN doesn't mean you have to be physically present to access the device. Another device on your network could be compromised, giving an attacker access to anything that the device can access. For example, say you get tricked into downloading something nasty on your laptop. Now they have remote access to your laptop, giving them access to your NAS.
Ultimately it comes down to your threat model. For an average home user, it's probably not very likely that not having 2fa on LAN-only devices would be a huge risk. But for a business with thousands of employees that could plug who-knows-what into your network? Much higher risk.
If the laptop has access to the NAS, the attacker could wait til the user logs in with MFA and piggy back that authentication session. MFA is a bummer, not a defense in this case.
For a home network I think I agree with you, but in a corporate or SOHO environment there may be an open WiFi that requires at least some access to the server locked in the closet. You can't necessarily trust that people who have access to to the network should have full access to the server.
Add thats before accounting for "defense in depth" approaches.
I use Tor hidden services. All incoming Tor connections come from "localhost". Every single one of them.
In order to propey secure, say, a Tor hidden services sshd, you can't use fail2ban. You must use 2fa. Fail2ban would just nearly immediately ban you from ever logging in.
I also turn down the login delay to a few seconds, just to make bruting harder.
I've never set up a Tor server, but I would have assumed incoming traffic could only be sent out to the internet, and that it would be blocked from accessing anything on your LAN, anything in 198.0.1.x. Is that not the case?
Otherwise how could anyone even have a printer connected to their network without people constantly printing junk pages as a prank?
If you've got a setup where Tor traffic can send a packet to your NAS in the first place, you're a far braver soul than I... I trust a firewall far more than I'll trust 2FA.
Yes all onion service connections appear from 127.0.0.1 but the current v3 onions are not guess or enumerateable. If you don't publish your address you get 0 attacks ever. Have you put your onion address all over the Internet to get attacked?
>However, clients still need to ask the directory for information about a specific onion address, which would again allow mass collection of onion addresses. With V3 onion services, this is prevented by using key derivation to derive a daily-rotated identifier ("blinded public key"). [0]
This is the information I have. It's not possible for a relay to know an .onion address like it was with v2. Could you please link to something that proofs the contrary?
That's precisely the OP's point. If a rogue physical visitor is a threat vector you need to protect against, then you have a different policy for that (e.g. how they get on your network or physically enter your IT homelab). But if you have a home NAS then what's the point of MFA?
I understand why you'd want it if trying to access your NAS from the internet, while traveling. (And in which case, if the internet is down, you can't access it anyways.)
But I'm struggling to understand why you'd ever want to enable MFA for signing into a device on your LAN. If it's on your LAN, you probably have physical access to it, and that's basically a factor in itself. Not "something you have", but "where you are" (or I guess it is "something you have" -- the device itself).
I've only encountered MFA before as something to protect remote account access. None of my other local devices support MFA -- I don't use it to unlock my phone, or my encrypted hard drive. So supporting it for local NAS access seems a bit unexpected.