[v13] veeamadmin account and personal MFA account

[pirx]

I just noticed aomething as I added the veeamadmin account to my authenticator app during deployment. I added the password to our interval vault but what about MFA? I know that it's best practice to have dedicated named users for working day to day with appliance. But having the MFA accounts for veeamadmin etc just in one persons authenticator app doesn't feel right. I've to admin, I did not run into such a situation before, maybe there is already a simple solution.

[Gostev]

Yes, this is not a problem indeed because you can just enter the TOTP seed value into multiple authenticator apps for redundancy. And also store this seed in your internal vault so you can use it in future in even more authenticator apps

[pirx]

I somehow expected this... as I have no access to Windows v13 console, where can I find TOTP seed after deployment? I checked VBR Web GUI and Host Management user. MFA reset needed?

[Gostev]

Correct, it would be a vulnerability if it was possible to easily look up the TOTP seed value .

[pirx]

Maybe a hint during deployment would be good to catch simple people like me

[DaStivi]

if you use KeePass for example, you can also add TOTP/MFA there... with a MFA Plugin you can just input the Seed there and generate TOTP Code...
of course you could even store the Seed itself as a secure note in side some credential safe... as gostev explained allready.

one additional note: the TOTP Code (seed) is different for the Console and Management Host Login! so you would have to have the same account with different MFA's saved! (its the same user and password, but different MFA-Seed, resulting in different TOTP codes!!)