diff --git a/deploy/synology_dsm.sh b/deploy/synology_dsm.sh
index 177b3fbe..66e28f93 100644
--- a/deploy/synology_dsm.sh
+++ b/deploy/synology_dsm.sh
@@ -2,8 +2,7 @@
 
 # Here is a script to deploy cert to Synology DSM
 #
-# it requires the jq and curl are in the $PATH and the following
-# environment variables must be set:
+# It requires following environment variables:
 #
 # SYNO_Username - Synology Username to login (must be an administrator)
 # SYNO_Password - Synology Password to login
@@ -16,6 +15,12 @@
 # SYNO_Hostname - defaults to localhost
 # SYNO_Port - defaults to 5000
 # SYNO_DID - device ID to skip OTP - defaults to empty
+# SYNO_TOTP_SECRET - TOTP secret to generate OTP - defaults to empty
+#
+# Dependencies:
+# -------------
+# - jq and curl
+# - oathtool (When using 2 Factor Authentication and SYNO_TOTP_SECRET is set)
 #
 #returns 0 means success, otherwise error.
 
@@ -36,6 +41,7 @@ synology_dsm_deploy() {
   _getdeployconf SYNO_Password
   _getdeployconf SYNO_Create
   _getdeployconf SYNO_DID
+  _getdeployconf SYNO_TOTP_SECRET
   if [ -z "${SYNO_Username:-}" ] || [ -z "${SYNO_Password:-}" ]; then
     _err "SYNO_Username & SYNO_Password must be set"
     return 1
@@ -86,13 +92,18 @@ synology_dsm_deploy() {
   encoded_username="$(printf "%s" "$SYNO_Username" | _url_encode)"
   encoded_password="$(printf "%s" "$SYNO_Password" | _url_encode)"
 
+  otp_code=""
+  if [ -n "$SYNO_TOTP_SECRET" ]; then
+    otp_code="$(oathtool --base32 --totp "${SYNO_TOTP_SECRET}" 2>/dev/null)"
+  fi
+
   if [ -n "$SYNO_DID" ]; then
     _H1="Cookie: did=$SYNO_DID"
     export _H1
     _debug3 H1 "${_H1}"
   fi
 
-  response=$(_post "method=login&account=$encoded_username&passwd=$encoded_password&api=SYNO.API.Auth&version=$api_version&enable_syno_token=yes" "$_base_url/webapi/auth.cgi?enable_syno_token=yes")
+  response=$(_post "method=login&account=$encoded_username&passwd=$encoded_password&api=SYNO.API.Auth&version=$api_version&enable_syno_token=yes&otp_code=$otp_code" "$_base_url/webapi/auth.cgi?enable_syno_token=yes")
   token=$(echo "$response" | grep "synotoken" | sed -n 's/.*"synotoken" *: *"\([^"]*\).*/\1/p')
   _debug3 response "$response"
   _debug token "$token"
@@ -100,7 +111,7 @@ synology_dsm_deploy() {
   if [ -z "$token" ]; then
     _err "Unable to authenticate to $SYNO_Hostname:$SYNO_Port using $SYNO_Scheme."
     _err "Check your username and password."
-    _err "If two-factor authentication is enabled for the user, you have to choose another user."
+    _err "If two-factor authentication is enabled for the user, set SYNO_TOTP_SECRET."
     return 1
   fi
   sid=$(echo "$response" | grep "sid" | sed -n 's/.*"sid" *: *"\([^"]*\).*/\1/p')
@@ -113,6 +124,7 @@ synology_dsm_deploy() {
   _savedeployconf SYNO_Username "$SYNO_Username"
   _savedeployconf SYNO_Password "$SYNO_Password"
   _savedeployconf SYNO_DID "$SYNO_DID"
+  _savedeployconf SYNO_TOTP_SECRET "$SYNO_TOTP_SECRET"
 
   _info "Getting certificates in Synology DSM"
   response=$(_post "api=SYNO.Core.Certificate.CRT&method=list&version=1&_sid=$sid" "$_base_url/webapi/entry.cgi")