OK, I do the normal thing, I put 2FA on everything, but I have to say there are quite a few dangers here when you are doing it on your home NAS. In short, I have 2FA on all my Synology accounts, but in rebooting a NAS and swapping some drives in, I suddenly got a “configuration error, 2FA not available.”
This isn’t a problem if you have an admin account without two-factor, but if all your accounts are locked down, your only choice is to do a mode-1 reset by finding a pin and pressing the key in the back of your NAS for 5 seconds until you hear a beep.
This resets all the passwords and resets all the network connections. Then you can log in with just admin and no password. But if you have say a Link Aggregation turned on to aggregate two links, the thing won’t connect, so you need to plug your Synology into a regular port and then rebuild the link later.
This happened I think because with Synology, there is an invisible partition where it stores its apps and other components. But when you are moving storage pools around, it gets confused particularly when you move between devices. It looks like to prevent this, you should make sure to move all the “old” drives up so they are the first ones seen. Also when you install applications it asks you which volume you want to store it in, so make sure it is a volume that is going to stick around.
And, net, both the encrypted volume feature and 2FA are pretty difficult since there is no way to recover. It doesn’t give you a 2FA recovery code for instance. The solution for me is that the main admin account I leave of 2FA, but I have backup admin accounts with huge passwords in case I need to do a reset.
And you don’t need SSDs for ordinary file servers
The integration of SSDs takes an entire drive slot in the consumer NAS systems, so its a big tradeoff to take a 12-drive systems and make it 10 to add a cache, but the difference that it would make.