Review on Synology C2 Password

By Category: Digital, My Life!Tags: , , , , , ,

Synology just launched their C2 Password on 22 July 2021.  Synology C2 is a suite of cloud services (by Synology, of course), designed to meet the storage, password management, secure file sharing, and backup needs of home users, prosumers, professionals, and businesses.  Besides C2 Password, C2 Storage has been available for a couple of years if I did not remember wrongly.   The rest of the Synology C2 suite, C2 Backup, C2 Transfer, and C2 Identity, are still in the “Coming Soon” stage according to the Synology C2 site.  Synology C2 is designed with 3 key principles in mind,

  • Trusted Cloud Infrastructure: Data storage security supporting both server-side encryption and also client-side encryption via private keys that never leave your device.
  • Compliance and Privacy: Colocated data centers that pass stringent and rigorous inspection and certification (ISO 27001 and SOC 2 Type II) for security procedures and physical safety features.
  • Data Residency: Data centers in the USA, Germany, and Asia (coming in 2021) to ensure data is stored exclusively in the country of choice of the customer.

Introduction to C2 Password

C2 Password is Synology’s answer to the demand for credential management products.  Other products on the market include 1Password, LastPass, or BitWarden.  The key purpose of C2 Password is to provide credential management from any platforms and devices, and secure sharing of files, all done in the highest security standard available today.  Let’s take a quick look at the features/components of C2 Password:

  • My Vault: This is the main dashboard/landing page of C2 Password whereby all the items of the credential management are listed and organized.  These items are securely kept in Synology’s C2 Cloud and made available (and synchronized) on various platforms including its web portal, web extensions on supported browsers such as Chrome and Edge, and also on iOS and Android Apps in the near future.  The types or categories of items that C2 Password’s credential management can support will be shown later.
  • Password Generator: This is where C2 Password can help to suggest and generate passwords with customizable lengths and strengths to meet each user’s needs.  Another feature of the Password Generator is the generation of time-based one-time passwords (TOTPs) for websites and other services that require 2 step authentication.
  • File Transfer: This allows the sharing of files securely with a target group of recipients via a time-limited URL and support for a limited number of downloads and also watermarking of the shared file.
  • Platform Security: The C2 Password Platform is protected using end-to-end RSA-2048 and AES-256 standards and this encryption is always done on the user’s devices.  This zero-knowledge design guarantees that all your data is always encrypted before reaching the Synology C2 Cloud.  and hence even the C2 Password is not able to decrypt the contents.  Login to C2 Password platform support 2FA for strong authentication to the contents.  For more information on how the C2 Password Platform is designed with security in mind, you can check out the white paper released by Synology on this topic.

Here are some feature comparisons between C2 Password and the other credential management products on the market based on the best available information on the respective websites*.

*I’m not representative of any products or websites and not liable for any outdated or incorrect information shown here.  Read and reference at your own discretion.

For more information on C2 Password, the help and FAQ can also be found here.

Registration and Setup

To use C2 Password, first, you will need to register for an account/login and also set up the browser extension (Chrome in my case).  Let’s take a step-by-step walk-through of this process.

The very clean and simplistic design of C2 Password

To register for C2 Password, you can use your Synology Account, Google, or Apple credentials.

The usual Terms of Service and disclaimer for any risk undertaken.

Select the Data Centre you prefer to keep your data.

The C2 Password is now free with the features and services are shown.  The mobile app for C2 Password will be available later.

Proceed to set up your credentials after registration is completed.

Select your C2 Encryption Key subjected to the recommended conditions. This key is stored on your device during setup.

A Recovery Code (your last chance for recovery) will also be generated for safekeeping.  Keep this code safe!

There! Registration for C2 Password is completed and this is the C2 Password User Interface which is called My Vault.

Next, search for the C2 Password Chrome Extension and install it.

Once you install the Chrome Extension, it should appear as a blue shield icon on your top right corner of Chrome browser.

Upon login, you will also be prompted for your C2 Encryption Key.  You can set if you want the Chrome Extension to prompt you for the C2 Encryption Key regularly in the Options.

You should be able to see your list of C2 Password assets after verifying the C2 Encryption Key.

The C2 Password Chrome Extension also provides quick access to the Password Generate of C2 Password.

Option for the C2 Password Chrome Extension on how much idle time before auto-lock.

With the C2 Password Chrome Extension, you will be prompted to use the stored Credential for login to websites.

Credential Management

After registration and setup of the browser extension, let us take a quick look at the different categories of credentials supported by the C2 Password vault.  So far, I have only tried the Login and Secure Note.  For the rest, I suspect they are more for secured storage on Synology C2 Cloud for now.

Categories of secured information that are available in C2 Password.

Login info is the most straight forward but the URL integration can be improved.  I’ll explain more later.

Identity info can store a lot of details and allow custom fields.  I guess this is aligned to the C2 Identity to be released later.

Bank Account info is quite detailed too though I do not think I have much use for this.

Payment Card info is very comprehensive but I have yet to test its integration for web-based payments.

Similarly for Email Account info, yet to test its integration with email apps or clients.

I like secure note as it allows secrets to be stored in an encrypted form easily.

This one is new to me, secure storage of configurations of WiFi network settings.  Not too sure if it has another integration besides secure info storage.

 

Secure File Sharing

After looking at the credential management, let’s have a go on how to use the secure file sharing feature of C2 Password.

To use the secure File Transfer, start by creating a “Task” and uploading the file you wish to share.  Note that it has a file size limitation of 100MB.

Next, key in the list of email addresses you wish to share this file(s) with.

The selected file(s) will be encrypted and uploaded to the Synology C2 backend.

A link will then be created to be shared with the recipients either by copying the link or emails

The recipient will receive an email with the link (I have masked out the rest of the gibberish link hence it looks so short).

The recipient upon clicking on the URL will be shown a C2 Password website asking to key in their email access.  Note that the email will not be automatically populated just in case the link falls into the wrong hands.

Next, the recipient will be asked to key in a 6 digit Access Code which will be sent to their email account after keying it in the previous screen.

This is what the recipient will receive in their email.

Only with the successful verification by the Access Code, then the shared file will be made available to the recipient.

What if I have somehow gotten the shared link and reached the website asking me to key in the email address? No worries, if the email account is not part of the recipient list, the Access Code will not be sent.

 

Improvements

Currently, the C2 Password is still very new and infant.  Features such as My Vault, Password Generator, and Secure File Transfer certainly do serve and work according to what they are supported to do.  However, I did find some areas in the usabilty that I thought could have been made more user friendly.  For example, if I can directly navigate and log into the website that I wish to access just clicking on the item in the list on the C2 Password Chrome Extension, instead of clicking through the steps shown below.  Also, some how, the Password Assistant that pop out on login input fields seems to be “fighting” with that provided by Chrome.  These are some of the things that would help to improve the user experience of C2 Password for sure.

To access and log in to any of the website accounts you set up in C2 Password, I would naturally click on the C2 Password Chrome Extension icon.  It shows the list of accounts but it only allows me to copy the username or password.

Clicking on the down arrow reveals more details on the account.  Only clicking on the highlighted icon next to the URL will launch the website you want to access and log in.  Clicking on the URL itself triggers no action too.

Conclusion

C2 Password is Synology’s answer to the world’s demand for credential management products.  After about one week or so of using it, I can say that is it is working as per what it suppose to do.  I have been using the C2 Password as a password manager more than anything else.  Though there are some areas of improvement for a better user experience, I am comfortable with using it, with no difference from the other credential management products.  Since C2 Password is able to support various categories of identity data in My Vault, I was hoping that more integration features between these categories and other Apps or settings can be made available by C2 Password.  For example, the fields and data captured in the Email Account item can automatically configure the email client on my new laptop, or, the WiFi Router item can be used to configure routers or WiFi settings on new devices in my network.

Currently, C2 Password is still free but there seem to plan for Synology to make it into a paid service.  However, with the other popular services such as 1Password, LastPass, and even BitWarden starting to charge for more features and device synchronization, Synology C2 Password is certainly giving these a run for the money.  Give C2 Password a try and let me know your views in the comments below.