Multi-Factor Authentication
Veeam Backup & Replication supports multi-factor authentication (MFA) for additional user verification. A one-time password (OTP) generated in the mobile authenticator application is used as a second verification method. Combined with login and password credentials, it creates a more secure environment and protects user accounts from being compromised.
The feature includes:
- Enabling/disabling MFA for all users
- Disabling MFA for service accounts
- Resetting MFA for specific users
Requirements and Limitations
MFA has the following requirements and limitations:
- Only users with the Veeam Backup Administrator role can manage MFA.
- MFA is not supported in the Veeam Backup & Replication Community Edition.
- MFA is not natively supported for Veeam Backup Enterprise Manager. It can be used with a third party identity provider specified in the SAML authentication settings.
- User groups are not supported. You can enable MFA only for user accounts.
- MFA works only for interactive logon. You can disable MFA for specific service accounts used for non-interactive actions. For more information, see Disabling MFA for Service Accounts.
- To restore the configuration database properly, run the Veeam Backup & Replication console or Veeam Backup Configuration Restore application under the service account with disabled MFA.
- To upgrade the remote Veeam Backup & Replication console properly, run it under the service account with disabled MFA.
- To use PowerShell cmdlets with Veeam Backup PowerShell Module or Microsoft Windows PowerShell, run the Veeam Backup & Replication console or Microsoft Windows PowerShell under the service account with disabled MFA.
- Mobile push notifications are not supported. You can get an OTP code only in the mobile authenticator application.
How MFA Works
Veeam Backup & Replication supports the following scenario for MFA:
- A user logs in to the Veeam Backup & Replication console.
- Veeam Backup & Replication checks if MFA is enabled and configured for the user:
- MFA is enabled but not configured. The user gets the instruction how to set up MFA. Veeam Backup & Replication generates a secret key which is used once for the initial setup in the mobile authenticator application. The hash of the secret key is also saved in the configuration database.
- MFA is enabled and configured. Each time the user logs in they should enter a 6-digit confirmation code generated in the mobile authenticator application. Veeam Backup & Replication checks if the code is valid and, in case of success, starts a user session.
If there are more than 5 unsuccessful attempts, the user can reopen the console and try to log in again after waiting for at least one minute. If the problem persists, the backup administrator can reset MFA by request.
Note |
The code confirmation works when there is no time shifting between the mobile authenticator application and the Veeam Backup & Replication server. Ensure that they are synchronized with the UTC time. |
If Veeam Explorers and other applications (except for Veeam Backup PowerShell Module) are started from the console, they do not require additional authentication.
Enabling MFA
To enable the feature for all users:
- Log in to the Veeam Backup & Replication console as an administrator.
- Go to Users and Roles.
- Remove user groups from the list if there are any. Leave only specific users.
- Select the Require two-factor authentication for interactive logon check box.
- Click OK.
Resetting MFA for a Specific User
The backup administrator can reset MFA by user request if they have authentication issues, lose or change a mobile device with the mobile authentication application, and so on.
To reset MFA for a specific user:
- Log in to the Veeam Backup & Replication console as an administrator.
- Go to Users and Roles.
- Select the user and click Reset MFA. The next time the user logs in they will get the instruction how to set up MFA.
Disabling MFA
To disable the feature for all users:
- Log in to the Veeam Backup & Replication console as an administrator.
- Go to Users and Roles.
- Deselect the Require two-factor authentication for interactive logon check box.
- Click OK.
Disabling MFA for Service Accounts
MFA is not supported for non-interactive connections used by the following applications and backup infrastructure components:
- Veeam Backup & Replication REST API
- Veeam Backup Enterprise Manager (for communication with the Veeam Backup & Replication server)
- Veeam ONE agent (for communication with the Veeam Backup & Replication server)
- Remote Console for VCC service providers
If applications and backup infrastructure components include non-interactive communication and run under a service account, you must disable MFA for these accounts to avoid connection issues.
To disable the feature for service accounts:
- Log in to the Veeam Backup & Replication console as an administrator.
- Go to Users and Roles.
- Select the service account and click Edit.
- Select the This is a service account (disable two-factor authentication) check box.
- Click OK.
