One of the must-have features for providing access security for any sensitive application is the ability to implement multi-factor authentication (MFA) as part of the login process. The release of Veeam Backup and V12 added the ability to enable Multi-factor authentication for logging into the Veeam console (including the remote console).
The details:
Before discussing the setup and configuration of MFA, we should discuss what MFA apps are supported.
Veeam Backup and Replication supports Time-Based One-Time Passwords (TOTP) as per RFC 6238 installed on a mobile device. For example, the following MFA TOTP applications are supported:
- Microsoft Authenticator
- Google Authenticator
- LastPass Authenticator
- DUO
- Okta Verify
- Many more are listed if you do a quick internet search ;)
A console auto-logout time can also be set to ensure that a user gets logged out of the Veeam console after a configurable period of inactivity.
Configuring MFA:
Step 1:
Access the Users and Groups selection on the options menu
Step 2:
You can turn on MFA and enable auto logoff for extra security from there.
Note:
If you have an account that is a service account and you would like to disable MFA, select the user and click edit. In the next window, you will have the option to turn off MFA.
Step 3:
On the next login to a Veeam console, the user will be prompted to set up MFA on their TOTP application on their mobile device. They can scan the QR code if the application provides that ability or manually enter the provided code.
Step 4:
Once the TOTP application is synched with the Veeam console, the user will be prompted to enter the OTP (one-time password) presented on the mobile application.
An administrator can reset the MFA requirement for specific users if needed.
Conclusion:
Multi-factor authentication is a great new feature to help protect your Veeam infrastructure from external threats. It is simple to set up, configure and use and provides one more layer of security to your infrastructure. After installing or upgrading to V12, this should be on the list of features to enable and require all Veeam admins and users to us.
