Veeam Agent notifications fail after gmail 2sv

[daystrom]

After I added 2-step verification to my gmail account veeam can no longer send notifications.

There must be a fix?

Case #04330409

[HannesK]

Hello,
adding multi factor authentication (MFA) to your email account is like changing the password from the perspective of the software.

There is no fix for "wrong password".

What you are asking for is a new feature in the software. Support for multi factor authentication

Best regards,
Hannes

[daystrom]

I would never expect that veeam, which seems to maintain well curated products, would not have 2sv covered at this time. 2sv is totally mainstream. It means every organization or person that uses a 2sv enabled account either doesn't get notifications about backups, or else uses less secure accounts for this purpose?

[HannesK]

Hello,

or else uses less secure accounts for this purpose?

that depends how "less secure" is defined. multi factor authentication helps for the situation, where customers are not able to protect their passwords.

Assuming the setup I would do (one account at random email provider for all my agents): what is the problem of losing that account? I would not really care. And chances are nearly zero that it ever happens. Because I don't share my passwords with hackers

The resources development do not stand in any relation to the outcome. Customers with a license usually use the central monitoring / email feature of VBR. As an alternative, there is the Veeam Service Provider Console.

So adding multi factor authentication for all the major email service providers on this planet in favor to adding features that really help the customers would be a bad decision from our side.

If it would be really important for our customers, then there would be many requests for that on the forums (I suggest to check the results in forum search )

Best regards,
Hannes

[soncscy]

Out of curiosity daystrom, how would you even see that working? I know Google's cloud suite has an API for OAuth on service accounts, but I don't think gmail does.

Further more, I don't know many clients on gsuite frankly speaking. I know they exist, but even with a 2FA "solution" in place for a service account, you're having to at some place put down the otp for the 2FA, which is almost exactly the same as just disabling 2FA and providing a service password in general.

I get the idea to make it seamless, but 2FA is meant for humans, not machines. Set up a service account, lock it down, disable 2FA and set up some reports for monitoring the account. It really should be fine.

[daystrom]

Hi Soncscy
Most of my clients are on gsuite, in fact.
I'm not very wise in the gsuite/2sv space, so it's limited what I can contribute to questions like your. But, I do now know that the standard workaround is for this issue if google's 2sv is involved. If one has 2sv enabled for an account, one can also generate what is called an "app password", which is a reasonably complex password that google hands off to you. If you're going to connect to that account via some third party process like veeam's notifications, you use that password instead of the normal password; it verifies via cell or whatever; and you're set. I meant to post that here, to complete the topic, so it's good that you posted here an reminded me.
With gsuite, most admins prefer to enforce 2fa if they're going to deploy it, and they wouldn't be very happy with leaving 2fa as not enforced just for the sake of some notifications. The app password fix seems to be a bridge in these cases.