Multi-Factor Authentication

Veeam Backup for AWS multi-factor authentication (MFA) is based on the Time-based One-Time Password (TOTP) method. This method requires a user to install an authentication application on the trusted device. The authentication application will generate temporary six-digit codes used to verify the user identity. Veeam Backup for AWS supports Google Authenticator.

Important

You cannot enable MFA for a user account which user identity was obtained from an identity provider.

Enabling MFA

To enable MFA for a specific user, do the following:

  1. To obtain a secret key and a token, send the HTTP POST request to the /api/v1/users/{userId}/enableMfa endpoint, where {userId} is a name of the user for which you want to enable MFA.

In the x-api-version header, specify the current revision of the Veeam Backup for AWS REST API, in the Authorization header — currently valid access token in the Bearer <access_token> format.

In the request body, specify the recreate parameter. The parameter indicates whether you want to recreate the existing MFA secret key (true) or to enable MFA for the user (false). Specify the false value for the parameter.

Request:

POST https://127.0.0.1:11005/api/v1/users/administrator/enableMfa

 

Request Header:

x-api-version:1.6-rev0

Authorization: Bearer YSEoaL6H9EEyJpnrJ9WhLtzbrrBBYWqMQFDBQuLnp13qGQX6MjNfZ_wriPIRHQrbY-8dYtsWcRZQczIHVuSqbnVb00m-yOihPZZHQ48aP1VcgUtgnYTvtAO3WRJ1cJ8VaIXzsVYKIGrLa1Lm41LsjpMiiPZytkqIUUiphhlXn7Vm10xlTzQUe0TU3HmXK-KD2MiB6qBImaISkEjgCmyIsurSN2mHi1Qo8VlZadnhkBd3v6nD5GEb8Gh4Zw7YAv5klmrnM0iBu7xhev2hVMZvKHGXvGshI3gS24-hIWbSsBGarVnRLSiUzor6QExTGShSa7pIeJWsAtJXLF5a3oSUooUv_YMYe8d5iZEouUuirrw

 

Request Body:

{

 "recreate": "false"

}

A successfully completed operation returns the 200 response code. In the response body, Veeam Backup for AWS returns the secret key, token, recovery scratch codes and the qrString link. The recovery codes must be saved locally.

Response:

200

Response Body:

{

 "userName": "administrator",

 "qrString": "otpauth://totp/administrator&40ip-172-31-71-115?secret=5XKNCVA54BPWQWCXLJZYLMIBD4&issuer=ip-172-31-71-115",

 "secretKey": "5XKNCVA54BPWQWCXLJZYLMIBD4",

 "scratchCodes": [

   "79529234",

   "99447341",

   "98474119",

   "94074142",

   "95269008"

 ],

 "token": "M0Q1OEMwOEQ5MTRFNzMwMzE5MTkzMUU5MDVCNjNENzREMTQ0MDYyRUJFNEE0QjI5MzEzNzVEMUE1QURFNzBENA=="

}

  1. Install Google Authenticator on the trusted device.
  2. Open Google Authenticator, create an account and enter the secret key manually.

Google Authenticator will generate a six-digit verification code.

Tip

You can use a QR code to create an account in the authentication application:

  1. On another device, open a QR code generator in a web browser.
  2. In the QR code generator, insert the qrString link returned by Veeam Backup for AWS. The QR code generator will display a QR code.
  3. On your trusted device, open Google Authenticator and choose the Scan barcode option.
  4. Scan the displayed QR code using the device camera.

Google Authenticator will automatically create an account and generate a six-digit verification code.

  1. To associate the authentication application with the authorization server, send the HTTP POST request to the /api/v1/users/{userId}/acceptMfa endpoint.

In the x-api-version header, specify the current revision of the Veeam Backup for AWS REST API, in the Authorization header — currently valid access token in the Bearer <access_token> format.

In the request body, specify the following parameters:

Request:

POST https://127.0.0.1:11005/api/v1/users/administrator/acceptMfa

 

Request Header:

x-api-version:1.6-rev0

Authorization: Bearer YSEoaL6H9EEyJpnrJ9WhLtzbrrBBYWqMQFDBQuLnp13qGQX6MjNfZ_wriPIRHQrbY-8dYtsWcRZQczIHVuSqbnVb00m-yOihPZZHQ48aP1VcgUtgnYTvtAO3WRJ1cJ8VaIXzsVYKIGrLa1Lm41LsjpMiiPZytkqIUUiphhlXn7Vm10xlTzQUe0TU3HmXK-KD2MiB6qBImaISkEjgCmyIsurSN2mHi1Qo8VlZadnhkBd3v6nD5GEb8Gh4Zw7YAv5klmrnM0iBu7xhev2hVMZvKHGXvGshI3gS24-hIWbSsBGarVnRLSiUzor6QExTGShSa7pIeJWsAtJXLF5a3oSUooUv_YMYe8d5iZEouUuirrw

 

Request Body:

{

 "code": "475112",

 "token": "M0Q1OEMwOEQ5MTRFNzMwMzE5MTkzMUU5MDVCNjNENzREMTQ0MDYyRUJFNEE0QjI5MzEzNzVEMUE1QURFNzBENA=="

}

A successfully completed operation returns the 201 response code.

Response:

201

Note

In case of losing access to the authentication application:

  • To get authorization in Veeam Backup for AWS, the user can use a recovery scratch code saved locally instead of a verification code. Each recovery code can be used only once.
  • To recreate the MFA secret key for a new device if the trusted device is lost or broken, repeat step 1 (specify the true value for the recreate parameter), and then repeat steps 2, 3 and 4.

Disabling MFA

To disable MFA for a specific user, send the HTTP POST request to the /api/v1/users/{userId}/disableMfa endpoint, where {userId} is a name of the user for which you want to disable MFA.

In the x-api-version header, specify the current revision of the Veeam Backup for AWS REST API, in the Authorization header — currently valid access token in the Bearer <access_token> format.

Request:

POST https://127.0.0.1:11005/api/v1/users/administrator/disableMfa

 

Request Header:

x-api-version:1.6-rev0

Authorization: Bearer YSEoaL6H9EEyJpnrJ9WhLtzbrrBBYWqMQFDBQuLnp13qGQX6MjNfZ_wriPIRHQrbY-8dYtsWcRZQczIHVuSqbnVb00m-yOihPZZHQ48aP1VcgUtgnYTvtAO3WRJ1cJ8VaIXzsVYKIGrLa1Lm41LsjpMiiPZytkqIUUiphhlXn7Vm10xlTzQUe0TU3HmXK-KD2MiB6qBImaISkEjgCmyIsurSN2mHi1Qo8VlZadnhkBd3v6nD5GEb8Gh4Zw7YAv5klmrnM0iBu7xhev2hVMZvKHGXvGshI3gS24-hIWbSsBGarVnRLSiUzor6QExTGShSa7pIeJWsAtJXLF5a3oSUooUv_YMYe8d5iZEouUuirrw

A successfully completed operation returns the 204 response code.

Response:

204