• EN

From the architect’s desk - Multi-factor authentication how-to

vmJoe
Userlevel 7
Badge +7

One of the must-have features for providing access security for any sensitive application is the ability to implement multi-factor authentication (MFA) as part of the login process. The release of Veeam Backup and V12 added the ability to enable Multi-factor authentication for logging into the Veeam console (including the remote console).

 

The details:

Before discussing the setup and configuration of MFA, we should discuss what MFA apps are supported.

Veeam Backup and Replication supports Time-Based One-Time Passwords (TOTP) as per RFC 6238 installed on a mobile device.  For example, the following MFA TOTP applications are supported:

  • Microsoft Authenticator
  • Google Authenticator
  • LastPass Authenticator
  • DUO
  • Okta Verify
  • Many more are listed if you do a quick internet search ;)

A console auto-logout time can also be set to ensure that a user gets logged out of the Veeam console after a configurable period of inactivity.

 

Configuring MFA:

Step 1:

Access the Users and Groups selection on the options menu

 

Step 2:

You can turn on MFA and enable auto logoff for extra security from there.

 

Note:

If you have an account that is a service account and you would like to disable MFA, select the user and click edit.  In the next window, you will have the option to turn off MFA.

 

 

Step 3:

On the next login to a Veeam console, the user will be prompted to set up MFA on their TOTP application on their mobile device. They can scan the QR code if the application provides that ability or manually enter the provided code.

 

Step 4:

Once the TOTP application is synched with the Veeam console, the user will be prompted to enter the OTP (one-time password) presented on the mobile application.

 

An administrator can reset the MFA requirement for specific users if needed.

 

Conclusion:

Multi-factor authentication is a great new feature to help protect your Veeam infrastructure from external threats.  It is simple to set up, configure and use and provides one more layer of security to your infrastructure.  After installing or upgrading to V12, this should be on the list of features to enable and require all Veeam admins and users to us.

 

 

Joe Gremillion, VMCA, TOGAF, VeeaMVP

11 comments

JMeixner
Userlevel 7
Badge +17

Yes, it’s really easy to configure and works great. 😎

Jochen (Joe) Meixner | Veeam Vanguard 2024 | Veeam Legend 2021 - 2023 | Veeam Certified Architect (VMCA) 2022 | Twitter: @JoMeix | BlueSky: @jmeixner.bsky.social
vmJoe
Userlevel 7
Badge +7

It really is! The most questions I receive about MFA is regarding what MFA applications are supported.

Joe Gremillion, VMCA, TOGAF, VeeaMVP
dloseke
Userlevel 7
Badge +6

I haven’t played with this yet but just took a quick peek at it yesterday.  I didn’t realize there was an option to disable MFA for service accounts, so this is good info to know!  Thanks Joe!

Derek M. Loseke, Senior Systems Engineer | Veeam Legend 2022-2023 | VMSP/VMTSP | VCP6-DCV | VSP/VTSP | CCNA | https://technotesanddadjokes.com | @dloseke
vmJoe
Userlevel 7
Badge +7

@dloseke and that's the second question I get 😉! Glad I could help!

Joe Gremillion, VMCA, TOGAF, VeeaMVP
Chris.Childerhose
Userlevel 7
Badge +20

Easiest and one of the best features added to v12.  We will be configuring this once we upgrade our sites.  Thanks for sharing, Joe.  👌🏼

Chris Childerhose - VMCA2022 | VMCE2023 | Veeam Vanguard 7* | Veeam Legend 3* | vExpert 5* | VCAP-DCV/VCP-DCV | Object First Ace | Cisco Champion | Twitter: @cchilderhose | Blog Site – https://just-virtualization.tech
Iams3le
Userlevel 7
Badge +9

Neatly outlined. Thank you very much for sharing. 

[Microsoft MVP | Veeam Legend 5* | VMware vExpert 4* | Cisco Champion 3* | Object First Ace]
coolsport00
Userlevel 7
Badge +17

Also good to know there is ability to disable if (hopefully rarely) needed. Nice concise write-up @vmJoe . Thanks!

Shane Williford - Veeam VMCA/VMCE | Veeam Legend | VUG Leader | VCP-DCV | Twitter: @coolsport00
Lior Staricoff
Badge

Question:
I have removed my Veeam servers out of the domain (security reasons - best practice Veeam)
Can i use the Veeam V12 MFA on non domain users ( Local users)?

Chris.Childerhose
Userlevel 7
Badge +20

Question:
I have removed my Veeam servers out of the domain (security reasons - best practice Veeam)
Can i use the Veeam V12 MFA on non domain users ( Local users)?

Yes you can for local users the same as domain users.

Chris Childerhose - VMCA2022 | VMCE2023 | Veeam Vanguard 7* | Veeam Legend 3* | vExpert 5* | VCAP-DCV/VCP-DCV | Object First Ace | Cisco Champion | Twitter: @cchilderhose | Blog Site – https://just-virtualization.tech
Geoff Burke
Userlevel 7
Badge +22

Thaks @vmJoe This was a great reminder to start getting this introduced asap!

VMCA2022, VMCE2023, CKA, CKAD, KCNA, LFCS, PCA,TARS
Scott
Userlevel 7
Badge +8

I’ll be implementing this soon. Great writeup

Comment


Terms & Conditions