Question

MFA with Veeam B&R


Userlevel 7
Badge +3

Hello everybody!

 

I’d like to know if is possible to have a Multi-Factor Authentication to access Veeam Backup & Replication console?

Do we have something native on Veeam about it?

 

 


7 comments

Userlevel 7
Badge +4

Hey! Great question.

 

I’ve not seen anything that interfaces natively with the Veeam console for B&R, the AWS/Azure platforms support MFA (haven’t tested on GCP yet). You can however limit access to a Veeam console jumpbox that you RDP onto and use something such as Duo to secure that client.

 

Be interesting if anyone has done something clever to make it work and what Veeam’s stance would be on this!

Userlevel 7
Badge +2

Hey there @wolff.mateus ...appears nothing native to the VBR server, but does look like for VCSP and Azure/AWS products, MFA is available. I would make a comment in the Veeam Forums so a Product Manager can give more details on if this will be a capability in future releases. If not, maybe they will add one.

Cheers!

Userlevel 7
Badge +4

Hey there @wolff.mateus ...appears nothing native to the VBR server, but does look like for VCSP and Azure/AWS products, MFA is available. I would make a comment in the Veeam Forums so a Product Manager can give more details on if this will be a capability in future releases. If not, maybe they will add one.

Cheers!

Great shout on the Veeam R&D Forum!

Userlevel 7
Badge +2

You can find the feature request here in the forum:

 

https://forums.veeam.com/veeam-backup-replication-f2/feature-request-two-factor-auth-support-for-veeam-console-t37867-60.html

Userlevel 7
Badge +5

Great request since now in v11 the Administrator rights are not needed anymore now.

Userlevel 7
Badge +1

I see a lot of people using Duo for the Windows authentication, I like that. 

Though Gostev’s answer in the Forum is not “No” but “Not Now” so - my advice is use Duo (or similar) for now, maybe more options will be in place.

Userlevel 7
Badge +4

Whilst we’re speaking about Duo I just want to highlight one setting that can dramatically impact the effectiveness of the solution. You can choose whether to bypass Duo when the device is offline.

 

I wouldn’t recommend this as then if the server can’t communicate with the cloud auth service there is no second factor challenge, achievable via breaking communication such as forcing NTP time drift, DNS poisoning etc. Offline auth via Duo app generated OTPs is supported and makes far more sense in this scenario. This feature became available in 2018 so depending on when people have used Duo they may not be aware!

Comment