[V13] No MFA and / or password challenge

[kbr]

Hi, am using version 13 (appliance based) and have a personal admin account to login to Windows GUI. I cashed my credentials when logging in (was expecting just the user ID would be cashed but also password was cashed). Log-in timeout is 60 minutes.

Somehow VBR was messed up so i was able to login without OTP (MFA) challenge for a few days in a row. Since credentials are cached i could login for days without and credentials . Logged a case and they are researching the issue.

What i would propose is to either make it default that ONLY user ID can be cached and not the password. If MFA is then broken it will always ask for password. Or to make an option in the GUI to be able to chose if it always asks for a password.

Loggin in without any password / user or OTP prompt is a major security risk. With the secure V13 appliance this should not happend.

[SteveK821]

Where is MFA activated for this user? There are two different places. One is in the Host Management WebUI (Port 10443) and the other is in the console itself, each needs to have MFA activated separately. They are also different MFA entries in your authenticator app. They are listed as "Veeam [vbr-server-name] (host management)" and "Veeam [vbr-server-name] (backup console)".

[kbr]

Since the user is just a regular user on the host management gui there is no MFA on that side. MFA is enabled in de backup console.