Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist
Cohesity

COHESITY Documentation

Explore our documentation to get started, discover products & new features, access troubleshooting guides, register sources, platforms support.

Products
Data Security Alliance
Visit Cohesity.com
Demos
Support
Blogs
Developers
Partner Portals
Cohesity Community
© 2026 Cohesity, Inc. All Rights Reserved.
Terms of Use|
Privacy Policy|
Legal|
  1. Home
  2. NetBackup and NetBackup Appliances Hardening Guide
  3. Steps to protect Flex Appliance
  4. Managing multifactor authentication on a primary or a media server instance
  5. Configuring or disabling multifactor authentication on a media server instance
NetBackup and NetBackup Appliances Hardening Guide

Configuring or disabling multifactor authentication on a media server instance

Use the following procedures to configure or disable multifactor authentication on a NetBackup media server application instance.

Note:

If multifactor authentication is enforced, users cannot disable it after the grace period.

To configure multifactor authentication on a media server instance

  1. (Optional) If you have already configured multifactor authentication for another instance and want to use the same authenticator account to log in to this instance, run the following command on the other instance:

    /usr/openv/netbackup/bin/goodies/nbmfacfg -show

    Take note of the key.

  2. On the instance that you need to configure multifactor authentication for, run one of the following commands:
    • To enroll with a random key, run the following command:

      /usr/openv/netbackup/bin/goodies/nbmfacfg -enroll

    • To use an existing key, run the following command:

      /usr/openv/netbackup/bin/goodies/nbmfacfg -enroll -secret <existing key>

  3. If you generated a new key, scan the QR code with an authentication app on your mobile phone. For example, Google Authenticator or Microsoft Authenticator.

    Note that the token validation is based on the server time. Ensure that the clock of the Flex Appliance and the mobile phone are correct.

    Note:

    If the appadmin user becomes locked, they cannot reset multifactor authentication for themself. To avoid this situation, Cohesity recommends that two or multiple users scan the same QR code of the appadmin user with their mobile phones. If one user loses access to the token, another user can help them to enroll again.

To disable multifactor authentication on a media server instance

  1. Log in to the instance as the user that you want to disable multifactor authentication for.
  2. Run the following command:

    /usr/openv/netbackup/bin/goodies/nbmfacfg -reset

Feedback

Was this page helpful?
Previous

Configuring or disabling multifactor authentication on a primary server instance

Next

Enforcing multifactor authentication on a primary or a media server instance

Feedback

Was this page helpful?