Multi-Factor Authentication
Veeam Backup & Replication supports multi-factor authentication (MFA) for additional user verification. A one-time password (OTP) generated in a mobile authenticator application is used as a second verification method. Combined with login and password credentials, it creates a more secure environment and protects user accounts from being compromised.
The feature includes:
- Enabling/disabling MFA for all users
- Disabling MFA for service accounts
- Resetting MFA for specific users
Tip |
Multi-factor authentication is compatible with mobile authentication applications that support RFC4226 and RFC6238. |
MFA has the following requirements and limitations:
- Only users with the Veeam Backup Administrator role can manage MFA.
- MFA is not supported in the Veeam Backup & Replication Community Edition.
- MFA is not natively supported for Veeam Backup Enterprise Manager. It can be used with a third party identity provider specified in the SAML authentication settings.
- User groups are not supported. You can enable MFA only for user accounts.
- MFA is not supported for non-interactive connections used by the following applications and backup infrastructure components:
- Veeam Backup & Replication REST API
- Veeam Backup Enterprise Manager (for communication with the Veeam Backup & Replication server)
- Veeam ONE agent (for communication with the Veeam Backup & Replication server)
- Veeam Backup Validator
To avoid connection issues, you must disable MFA for the accounts used to run these applications and backup infrastructure components. For more information, see Disabling MFA for Service Accounts.
- MFA is not supported for PowerShell (either interactive logon or non-interactive connections). To use PowerShell cmdlets with Veeam Backup PowerShell Module or Microsoft Windows PowerShell, run the Veeam Backup & Replication console or Microsoft Windows PowerShell under the service account with disabled MFA.
- MFA also must be disabled for the account in the following cases:
- To restore the configuration database properly, run the Veeam Backup & Replication console or Veeam Backup Configuration Restore application under the service account with disabled MFA.
- To upgrade the remote Veeam Backup & Replication console properly, run it under the service account with disabled MFA.
- If a service provider (SP) uses Veeam Service Provider Console and wants to use multi-factor authentication on the SP backup server, they must set up a service account in Veeam Backup & Replication. For more information, see this Veeam KB article.
- Mobile push notifications are not supported. You can get an OTP code only in the mobile authenticator application.
How MFA Works
Veeam Backup & Replication supports the following scenario for MFA:
- A user logs in to the Veeam Backup & Replication console.
- Veeam Backup & Replication checks if MFA is enabled and configured for the user:
- MFA is enabled but not configured. The user gets the instruction how to set up MFA. Veeam Backup & Replication generates a secret key which is used once for the initial setup in the mobile authenticator application. The hash of the secret key is also saved in the configuration database.
- MFA is enabled and configured. Each time the user logs in they should enter a 6-digit confirmation code generated in the mobile authenticator application. Veeam Backup & Replication checks if the code is valid and, in case of success, starts a user session.
If there are more than 5 unsuccessful attempts, the user can reopen the console and try to log in again after waiting for at least one minute. If the problem persists, the backup administrator can reset MFA by request.
Important |
The code confirmation works when there is no time shifting between the mobile authenticator application and the Veeam Backup & Replication server. Ensure that they are synchronized with the UTC time. Otherwise, the authentication will fail. |
If Veeam Explorers and other applications (except for Veeam Backup PowerShell Module) are started from the console, they do not require additional authentication.
Enabling MFA
To enable the feature for all users:
- Log in to the Veeam Backup & Replication console as an administrator.
- Go to Users and Roles > Security.
- Remove user groups from the list if there are any. Leave only specific users.
- Select the Enable multi-factor authentication (MFA) check box.
- Click OK.
Important |
If you generate a new backup server certificate while multi-factor authentication is enabled, any Veeam Backup & Replication consoles connected to the backup server must be restarted to avoid connection issues. |
Resetting MFA for Specific User
The backup administrator can reset MFA by user request if they have authentication issues, lose or change a mobile device with the mobile authentication application, and so on.
To reset MFA for a specific user:
- Log in to the Veeam Backup & Replication console as an administrator.
- Go to Users and Roles > Security.
- Select the user and click Reset MFA. The next time the user logs in they will get the instruction how to set up MFA.
Disabling MFA
To disable the feature for all users:
- Log in to the Veeam Backup & Replication console as an administrator.
- Go to Users and Roles > Security.
- Clear the Enable multi-factor authentication (MFA) check box.
- Click OK.
Disabling MFA for Service Accounts
If you cannot use MFA due to limitations described in section Requirements and Limitations, you can disable this feature for specific service accounts used to run applications and backup infrastructure components.
To disable the feature for service accounts:
- Log in to the Veeam Backup & Replication console as an administrator.
- Go to Users and Roles > Security.
- Select the service account and click Edit.
- Select the This is a service account (disables two-factor authentication) check box.
- Click OK.
