Step 3: Configure MFA for your account
Passwords alone are not enough to protect a cloud account — if your credentials are leaked, an attacker gains immediate access. Multi-factor authentication (MFA) requires a second verification step on every login, so your account stays protected even if your password is compromised. This topic uses Google Authenticator to walk you through attaching a virtual MFA device to your Alibaba Cloud account.
How MFA works
With MFA enabled, every login requires two verification steps:
Enter your username and password.
Enter a 6-digit dynamic code from your MFA device or a text message sent to your mobile phone.
MFA methods
Alibaba Cloud accounts support multiple MFA methods. This topic focuses on virtual MFA devices — authenticator apps that follow the time-based one-time password (TOTP) standard (RFC 6238) and generate a 6-digit dynamic code every 30 seconds.
Supported TOTP apps:
Alibaba Cloud app (Recommended): The official app is highly integrated and supports one-stop Alibaba Cloud service management and security authentication.
Google Authenticator — available for Android and iOS
Microsoft Authenticator and other TOTP-compatible authenticators
Attach a virtual MFA device
This topic uses the Alibaba Cloud app as an example. The steps for other TOTP-compatible apps are similar.
Prerequisites
Before you begin, make sure you meet the following requirements:
Your Alibaba Cloud account has completed identity verification. For more information, see Identity verification overview.
You have downloaded and installed the latest version of the Alibaba Cloud app on your mobile phone.
Procedure
Log on to the Account Center. Under My Account, select Security. Then, click Bind next to Virtual MFA.
On the Verify Identity page, select a method to complete the identity verification.
On the Enable MFA page, follow the on-screen instructions to download and install the Alibaba Cloud app or Google Authenticator on your mobile phone. Use the Alibaba Cloud app or Google Authenticator to get a verification code, enter the code, and then click Enable.
After the MFA device is attached, refresh the Security page. The status changes to Bound.
FAQ
How do I attach an MFA device if my account is shared by multiple users?
Share the QR code generated during the setup process. Have all users who need to use this account scan the code to add the account to their authenticator applications. This way, each person can get a dynamic verification code to log on independently.
What should I do if I lose my phone or accidentally uninstall the Alibaba Cloud app and cannot use MFA?
This is a critical situation that might prevent you from logging on to your account.
Best practice: Before you replace your phone, reinstall the operating system, or uninstall the app, log on to the Alibaba Cloud Management Console and detach the MFA device in your security settings.
Emergency: If you have lost your phone or accidentally uninstalled the app, you cannot detach the device yourself. In this case, you must submit a ticket to detach the MFA device. For more information, see Detach a virtual MFA device.