Multi-Factor Authentication

Veeam Backup for Google Cloud multi-factor authentication (MFA) is based on the Time-based One-Time Password (TOTP) method. This method requires a user to install an authentication application on the trusted device. The authentication application will generate temporary six-digit codes used to verify the user identity.

Enabling MFA

To enable MFA for a specific user, do the following:

  1. To obtain a secret key and a token, send the HTTP POST request to the /api/v1/accounts/users/{name}/mfaEnable endpoint, where {name} is a name of the user for which you want to enable MFA.

In the x-api-version header, specify the current revision of the Veeam Backup for Google Cloud REST API, in the Authorization header — currently valid access token in the Bearer <access_token> format.

In the request body, specify the recreate parameter. The parameter indicates whether you want to recreate the existing MFA secret key (true) or to enable MFA for the user (false). Specify the false value for the parameter.

Request:

POST https://123.123.123.123:13140/api/v1/accounts/users/administrator/mfaEnable

 

Request Header:

x-api-version:1.3-rev0

Authorization: Bearer YSEoaL6H9EEyJpnrJ9WhLtzbrrBBYWqMQFDBQuLnp13qGQX6MjNfZ_wriPIRHQrbY-8dYtsWcRZQczIHVuSqbnVb00m-yOihPZZHQ48aP1VcgUtgnYTvtAO3WRJ1cJ8VaIXzsVYKIGrLa1Lm41LsjpMiiPZytkqIUUiphhlXn7Vm10xlTzQUe0TU3HmXK-KD2MiB6qBImaISkEjgCmyIsurSN2mHi1Qo8VlZadnhkBd3v6nD5GEb8Gh4Zw7YAv5klmrnM0iBu7xhev2hVMZvKHGXvGshI3gS24-hIWbSsBGarVnRLSiUzor6QExTGShSa7pIeJWsAtJXLF5a3oSUooUv_YMYe8d5iZEouUuirrw

 

Request Body:

{

 "recreate": "false"

}

A successfully completed operation returns the 200 response code. In the response body, Veeam Backup for Google Cloud returns the secret key, token, recovery scratch codes and the qrString link. The recovery codes must be saved locally.

Response:

200

Response Body:

{

 "response": {

   "qrString": "otpauth://totp/administrator@ap-ubuntu-2?secret=P6JV3GGODIMXHOUZ2OAXN3S2LQ&issuer=ap-ubuntu-2",

   "secretKey": "P6JV3GGODIMXHOUZ2OAXN3S2LQ",

   "scratchCodes": [

     "13433973",

     "96799468",

     "19712857",

     "22056331",

     "90916425"

   ],

   "token": "NEQ0RTY2RUNFNzAxQjdCMjE0MjVEOTRDOTMwRTlDNEY3RThDRkZBODM3MTY1N0E2NUUyQkYxNjAwQTYyNDlGNA=="

 },

 "issues": []

}

  1. Install a supported authentication application on the trusted device.
  2. Open the authentication application, create an account and enter the secret key manually.

The authentication application will generate a six-digit verification code.

Tip

You can use a QR code to create an account in the authentication application:

  1. On another device, open a QR code generator in a web browser.
  2. In the QR code generator, insert the qrString link returned by Veeam Backup for Google Cloud. The QR code generator will display a QR code.
  3. On your trusted device, open a supported authentication application and choose the Scan barcode option.
  4. Scan the displayed QR code using the device camera.

The authentication application will automatically create an account and generate a six-digit verification code.

  1. To associate the authentication application with the authorization server, send the HTTP POST request to the /api/v1/accounts/users/{name}/mfaAccepted endpoint.

In the x-api-version header, specify the current revision of the Veeam Backup for Google Cloud REST API, in the Authorization header — currently valid access token in the Bearer <access_token> format.

In the request body, specify the following parameters:

Request:

POST https://123.123.123.123:13140/api/v1/accounts/users/administrator/mfaAccepted

 

Request Header:

x-api-version:1.3-rev0

Authorization: Bearer YSEoaL6H9EEyJpnrJ9WhLtzbrrBBYWqMQFDBQuLnp13qGQX6MjNfZ_wriPIRHQrbY-8dYtsWcRZQczIHVuSqbnVb00m-yOihPZZHQ48aP1VcgUtgnYTvtAO3WRJ1cJ8VaIXzsVYKIGrLa1Lm41LsjpMiiPZytkqIUUiphhlXn7Vm10xlTzQUe0TU3HmXK-KD2MiB6qBImaISkEjgCmyIsurSN2mHi1Qo8VlZadnhkBd3v6nD5GEb8Gh4Zw7YAv5klmrnM0iBu7xhev2hVMZvKHGXvGshI3gS24-hIWbSsBGarVnRLSiUzor6QExTGShSa7pIeJWsAtJXLF5a3oSUooUv_YMYe8d5iZEouUuirrw

 

Request Body:

{

 "code": "475112",

 "token": "NEQ0RTY2RUNFNzAxQjdCMjE0MjVEOTRDOTMwRTlDNEY3RThDRkZBODM3MTY1N0E2NUUyQkYxNjAwQTYyNDlGNA=="

}

A successfully completed operation returns the 200 response code.

Response:

{

 "success": true,

 "issues": []

}

Note

In case of losing access to the authentication application:

  • To get authorization in Veeam Backup for Google Cloud, the user can use a recovery scratch code saved locally instead of a verification code. Each recovery code can be used only once.
  • To recreate the MFA secret key for a new device if the trusted device is lost or broken, repeat step 1 (specify the true value for the recreate parameter), and then repeat steps 2, 3 and 4.

Disabling MFA

To disable MFA for a specific user, send the HTTP POST request to the /api/v1/accounts/users/{name}/mfaDisable endpoint, where {name} is a name of the user for which you want to disable MFA.

In the x-api-version header, specify the current revision of the Veeam Backup for Google Cloud REST API, in the Authorization header — currently valid access token in the Bearer <access_token> format.

Request:

POST https://123.123.123.123:13140/api/v1/accounts/users/administrator/mfaDisable

 

Request Header:

x-api-version:1.3-rev0

Authorization: Bearer YSEoaL6H9EEyJpnrJ9WhLtzbrrBBYWqMQFDBQuLnp13qGQX6MjNfZ_wriPIRHQrbY-8dYtsWcRZQczIHVuSqbnVb00m-yOihPZZHQ48aP1VcgUtgnYTvtAO3WRJ1cJ8VaIXzsVYKIGrLa1Lm41LsjpMiiPZytkqIUUiphhlXn7Vm10xlTzQUe0TU3HmXK-KD2MiB6qBImaISkEjgCmyIsurSN2mHi1Qo8VlZadnhkBd3v6nD5GEb8Gh4Zw7YAv5klmrnM0iBu7xhev2hVMZvKHGXvGshI3gS24-hIWbSsBGarVnRLSiUzor6QExTGShSa7pIeJWsAtJXLF5a3oSUooUv_YMYe8d5iZEouUuirrw

A successfully completed operation returns the 200 response code.

Response:

{

 "success": true,

 "issues": []

}