Hey! Great question.

I’ve not seen anything that interfaces natively with the Veeam console for B&R, the AWS/Azure platforms support MFA (haven’t tested on GCP yet). You can however limit access to a Veeam console jumpbox that you RDP onto and use something such as Duo to secure that client.

Be interesting if anyone has done something clever to make it work and what Veeam’s stance would be on this!

Hey there @wolff.mateus ...appears nothing native to the VBR server, but does look like for VCSP and Azure/AWS products, MFA is available. I would make a comment in the Veeam Forums so a Product Manager can give more details on if this will be a capability in future releases. If not, maybe they will add one.

Cheers!

Great shout on the Veeam R&D Forum!

You can find the feature request here in the forum:

https://forums.veeam.com/veeam-backup-replication-f2/feature-request-two-factor-auth-support-for-veeam-console-t37867-60.html

Great request since now in v11 the Administrator rights are not needed anymore now.

I see a lot of people using Duo for the Windows authentication, I like that. 

Though Gostev’s answer in the Forum is not “No” but “Not Now” so - my advice is use Duo (or similar) for now, maybe more options will be in place.

Whilst we’re speaking about Duo I just want to highlight one setting that can dramatically impact the effectiveness of the solution. You can choose whether to bypass Duo when the device is offline.

I wouldn’t recommend this as then if the server can’t communicate with the cloud auth service there is no second factor challenge, achievable via breaking communication such as forcing NTP time drift, DNS poisoning etc. Offline auth via Duo app generated OTPs is supported and makes far more sense in this scenario. This feature became available in 2018 so depending on when people have used Duo they may not be aware!

Update from Anton :-)

MFA for the VBR console is coming with V12 this year.

https://forums.veeam.com/post440238.html#p440238

That is awesome.  Cannot wait to test this.

Thanks for sharing @Mildur, that’s brilliant news!

Your welcome, @MicoolPaul :)

Great news @Mildur! This will certainly take the security  to the next level 🥳

Sincere question, is MFA really necessary for a VB&R server?

Couldn't it be more useful to have some sort of sandbox system (inside a Windows Server) that is untouchable from the outside?

No polemic, just to talk about :)

There are companies with security regulations to have MFA on each critical system, or the software cannot be implemented.

Besides that, yes, MFA is better than no MFA.

Backups can be protected by immutability.

But how do you protect unauthorized access to the protected data in the backup? 

Strong physical and virtual security permission policy and encryption policy.

But absolutely right, MFA is better than no MFA.

MFA will very much increase the security of your backup environment. Even if you harden your environment, do 3-2-1, etc., an attacker could cause high damage when accessing your Veeam console; besides the obvious cases, where backups and tapes are deleted. Think about someone altering your jobs so that nothing gets backed up, changing Encryption keys or something more malicious like overwriting your production VMs.

What you say is true @regnor , thanks for posting this examples. MFA will then increase security a lot, very very well.

@marcofabbri another point highlighted is this is MFA within the application vs on the server itself, so wherever the console is installed and can access the B&R server, stealing credentials is no longer sufficient.

Depends on the implementation.

For MFA you need some connection to the Veeam server. Hopefully this is an internal secure connection only….

Indeed, great news! But keep in mind, forum talks about MFA for console. No word about Rest and PowerShell. Without that, MFA for the management system/server should be implemented too!

Is it this year or Q1 next year for the GA ?

Yes, more support for the PowerShell or REST APIwould be great. 

At the time of that post it was this year. But now the current schedule for v12 is January or Q1 2023.

Yes, that is true, better be late than never.

I will prefer the use of a bastion with MFA everywhere than on a Veeam console, but it’s betther than nothing