Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist
Cohesity

COHESITY Documentation

Explore our documentation to get started, discover products & new features, access troubleshooting guides, register sources, platforms support.

Products
Data Security Alliance
Visit Cohesity.com
Demos
Support
Blogs
Developers
Partner Portals
Cohesity Community
© 2026 Cohesity, Inc. All Rights Reserved.
Terms of Use|
Privacy Policy|
Legal|
  1. Home
  2. NetBackup and NetBackup Appliances Hardening Guide
  3. Steps to protect Flex Appliance
  4. Managing multifactor authentication
  5. Enforcing multifactor authentication
NetBackup and NetBackup Appliances Hardening Guide

Enforcing multifactor authentication

You can enforce multifactor authentication for users in the Flex Appliance Console, so that they must configure it by the date that you select.

Note:

Remote AD and LDAP user groups are not supported when multifactor authentication is enforced. Once you enforce it, users in these groups can no longer sign in.

You cannot enforce multifactor authentication for the hostadmin user in the Flex Appliance Shell.

You also have an option to opt out of multifactor authorization.

Before you can enforce multifactor authentication, the following prerequisites must be met:

  • The appliance date and time must be set with NTP.

  • You and at least one other user must have the security administrator role. At least one of the users with the security administrator role must be a local user.

  • You must have multifactor authentication configured on your account.

Note that:

  • After a new installation of Flex Appliance, the Enforce multifactor authentication enforcement dialog will appear at every login until the administrator explicitly enforces or opts out. If the dialog is closed without making a choice, the user remains on the home page, and the Enforce multifactor authentication screen will reappear on subsequent logins. An opt-out without providing a reason is treated as no choice, so the dialog continues to appear at each login.

    This is the default state of the appliance.

  • If the prerequisites are met and no selection is made, the Enforce Multifactor authentication option is selected by default and the enforce date popup is automatically shown. You can close the date selection screen and choose opt-out at this point.

  • If the prerequisites are not met, you cannot enforce multifactor authentication. But you can opt out of multifactor authentication. Once the prerequisites are met, you can choose to enforce multifactor authentication even if you opted out of it before.

  • If you have enforced multifactor authentication but the enforcement is not effective, you can change the effective date but you cannot change the configuration.

To enforce multifactor authentication

  1. Sign in to the Flex Appliance Console as a security administrator. Click the Settings icon in the top-right corner of the page and then click Multifactor authentication enforcement.
  2. On the Multifactor authentication enforcement page, click Enforce.
  3. Select a start date within the next 90 days.

    Caution:

    Once you enforce multifactor authentication, you cannot cancel the enforcement or extend the start date past 90 days.

  4. Click Enforce.

If you need to change the start date, return to the Multifactor authentication enforcement page and click Edit enforcement.

To opt out of multifactor authentication

  1. Go to Settings > Multifactor authentication enforcement and select Opt-out of Multifactor Authentication (MFA).
  2. The Multifactor Authentication Liability Agreement popup appears. The popup will walk you through the liability agreement. Read and accept the liability agreement. Click Next.
  3. Select the reason for opting out of multifactor authentication. You can choose any of the listed options or choose Custom and specify the reason for opting out.
  4. Click Confirm.

Feedback

Was this page helpful?
Previous

Configuring or reconfiguring multifactor authentication

Next

Managing multifactor authentication on a primary or a media server instance

Feedback

Was this page helpful?