Comprehensive data protection for all workloads
randy.belbin
Lurker
Posts: 1
Liked: 1 time
Joined: Sep 05, 2018 6:01 am
Full Name: Randy Belbin
Contact:

Re: Feature Request - Two-factor auth support for Veeam Cons

Post by randy.belbin » Sep 05, 2018 6:20 am 1 person likes this post

Hey there Veeam team!

I'm currently playing around with Backup and Replication in my home lab and I have to say that so far, I'm pretty impressed. Truly great work!
On the 2FA front, I have to say that backups (should) contain every piece of critical and sensitive data that a company owns. It seems really silly to go through all the trouble of putting 2FA on servers only to have the backups accessible with just a password. File level browsing and restores are great until they make their way into the wrong hands.

I'll be the first one to admit that access to the Veeam Console should be very tightly controlled. As in the only access should be from an admin workstation which is protected with 2FA. However, I think it would be awesome to have native 2FA support in the console for that extra piece of mind or for those folks who can't properly segment their networks.

Now for the full disclosure part - I work for RSA and we have a phenomenal partner engineering team that would be more than happy to work with your devs to implement our REST APIs into your products. 2FA is quickly becoming ubiquitous or table stakes or whatever we want to call it and we'd love to help you make strong auth another awesome feature of the Veeam console.

crackocain
Service Provider
Posts: 127
Liked: 9 times
Joined: Dec 14, 2015 8:20 pm
Full Name: Mehmet Istanbullu
Location: Turkey
Contact:

Re: Feature Request - Two-factor auth support for Veeam Console

Post by crackocain » Jan 11, 2019 2:50 pm

+1.

Actually great fit "Veeam Authenticator" app iOS and Android :)

Escapo IT
Influencer
Posts: 11
Liked: 4 times
Joined: May 29, 2012 6:05 pm
Contact:

Re: Feature Request - Two-factor auth support for Veeam Console

Post by Escapo IT » Feb 27, 2019 8:15 am

+1

olavl
Influencer
Posts: 11
Liked: 1 time
Joined: Jan 23, 2018 8:21 am
Full Name: OL
Contact:

Re: Feature Request - Two-factor auth support for Veeam Console

Post by olavl » Mar 19, 2019 8:54 pm

+1 for MFA - integrate with Azure MFA, Google Auth, MS Auth, Duo etc.
+1 for console authentication with Radius/LDAPS

Gostev
SVP, Product Management
Posts: 24638
Liked: 3467 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Feature Request - Two-factor auth support for Veeam Console

Post by Gostev » Mar 20, 2019 12:04 am

@Olav I am just curios, are you using all these MFA systems at once?

For example, why would you use both MS Auth and Duo at the same time? We were just evaluating both for the internal use, and it seems like a binary choice: you either go with one or the other - not both.

Also, from the same evaluation I believe Azure MFA and MS Auth is the same thing, no?

Also, I believe Google MFA is for Google Accounts only - so, how are you using it for Windows infrastructure (logging on to Active Directory etc.)?

olavl
Influencer
Posts: 11
Liked: 1 time
Joined: Jan 23, 2018 8:21 am
Full Name: OL
Contact:

Re: Feature Request - Two-factor auth support for Veeam Console

Post by olavl » Jun 12, 2019 10:39 pm

@Gostev: missed this post, but I'll throw in some thoughts now.

A Veeam customer should protect the console and repository through firewall, zoning etc. But having multiple MFA for console access should be part of a enterprise backup system in 2019.

I listed a couple of alternatives for MFA as an example, if Veeam will implement MFA for console and powershell access you might consider having multiple alternatives to suit your customers needs.
A Microsoft/Azure shop might be on Microsoft Radius or Azure MFA, some on Google Auth and others on Duo or Authy.

Using Google Authenticator requires the app installed on android or IOS, but logging in can be any account since you only add the code-generating to the Auth app. See panda/commvault for examples.

Some examples:

amarshall
Service Provider
Posts: 3
Liked: never
Joined: Jun 02, 2016 12:28 am
Full Name: Adam Marshall
Contact:

Re: Feature Request - Two-factor auth support for Veeam Console

Post by amarshall » Jun 21, 2019 10:50 am

We have a client requesting this for Cloud Connect - it's a deal breaker for them, part of the requirements from global HQ for any Cloud/SaaS service. Either using an authenticater fob/app or OTP.

What are Veeams thoughts here? I didn't hear anything about any sort of MFA at VeeamON?

ferrus
Veeam ProPartner
Posts: 246
Liked: 31 times
Joined: Dec 03, 2015 3:41 pm
Location: UK
Contact:

Re: Feature Request - Two-factor auth support for Veeam Console

Post by ferrus » Jun 21, 2019 11:59 am

Adding my name to the request for 2FA access for Veeam.
This should become more standard across most applications TBH - and since Veeam potentially holds ALL data for all applications ...

We use Google authenticator across all our 2FA systems. I don't believe the MS/Google authenticator apps are vendor locked at all.


One question though. From a security perspective, have you improved much by introducing 2FA to the console - when most actions are available through powershell?

sswayd
Lurker
Posts: 1
Liked: never
Joined: Sep 04, 2019 1:00 pm
Full Name: SWAYD ALSWAYD
Contact:

Re: Feature Request - Two-factor auth support for Veeam Console

Post by sswayd » Sep 04, 2019 1:02 pm

+1

tomnewman
Enthusiast
Posts: 46
Liked: 2 times
Joined: Oct 14, 2015 10:12 pm
Full Name: Tom Newman
Contact:

Re: Feature Request - Two-factor auth support for Veeam Console

Post by tomnewman » Sep 14, 2019 10:02 pm

+1

ShawnKPERS
Enthusiast
Posts: 55
Liked: 4 times
Joined: Apr 29, 2011 3:55 pm
Full Name: Shawn Nix
Contact:

Re: Feature Request - Two-factor auth support for Veeam Console

Post by ShawnKPERS » Sep 17, 2019 7:29 pm

+1

riahc3
Enthusiast
Posts: 81
Liked: 4 times
Joined: Oct 21, 2015 10:01 am
Full Name: John
Contact:

Re: Feature Request - Two-factor auth support for Veeam Console

Post by riahc3 » Sep 18, 2019 1:12 am 1 person likes this post

skrause wrote:
Sep 28, 2016 2:22 pm
Sure, we could RDP into our B&R server with 2FA
There you go; You have 2FA to the console already.

I dont understand why people have a unhealthy obsession with 2FA. Not everything needs 2FA and things can be put before that SHOULD require 2FA.

Are you going to want that UAC uses 2FA as well? Or Powershell commands?

soncscy
Influencer
Posts: 10
Liked: 7 times
Joined: Aug 04, 2019 2:57 pm
Full Name: Harvey Carel
Contact:

Re: Feature Request - Two-factor auth support for Veeam Console

Post by soncscy » Sep 18, 2019 4:26 pm

While I agree, keep in mind, often Security Requirements aren't a choice, they're a mandate. Think like PCI DSS which, thankfully, isn't too ridiculous in and of itself, but those tasked with enforcing it often haven't read the material, or lack the ability to understand what is being required.

Cargo Cult Security is an awful practice, but that doesn't mean that everyone doing it does so willingly; sometimes you just gotta check that box in order to get home by 6 pm that night. 2FA probably won't save most people if they're really hit by some new ransomware (hell, last time we had a site get hit, the local admin had 2FA enabled, and went ahead and authenticated something from an unknown process anyways figuring it was some cronjob he forgot about)

I always tell people, the biggest threats are craft hackers or cleverly disguised packages with malicious payloads; it's the emails that go "Hey Bob! Look at this!" and Bob blindly clicks through.

Post Reply

Who is online

Users browsing this forum: No registered users and 49 guests