Attach or detach a virtual MFA device
You can attach a virtual MFA device to your Alibaba Cloud account for secondary identity verification when you log on. This improves the security of your Alibaba Cloud account. This topic describes how to attach or detach a virtual MFA device.
What is MFA and why should you configure it?
Multi-Factor Authentication (MFA) is a security best practice that adds an extra layer of protection on top of your username and password.
When you enable MFA, you must complete two verification steps to log on to Alibaba Cloud:
First verification: Enter your username and password.
Second verification: Use another authentication method, such as a six-digit dynamic code generated by a virtual MFA device every 30 seconds.
With this two-step verification, even if your password is compromised, no one can log on to your account without your physical device. This helps prevent account theft and greatly improves security.
What MFA methods do Alibaba Cloud accounts support?
Alibaba Cloud accounts support multiple MFA methods, such as text message verification. This topic focuses on virtual MFA devices, which are software-based MFA applications. A virtual MFA device is an app that follows the time-based one-time password (TOTP) standard (RFC 6238). It generates a six-digit dynamic code every 30 seconds for secondary authentication during logon and other critical operations.
Recommended virtual MFA applications
Alibaba Cloud app (Recommended): The official app is highly integrated and supports one-stop Alibaba Cloud service management and security authentication.
Google Authenticator: A mainstream TOTP standard app for Android and iOS.
Other TOTP-compatible authenticators: Such as Microsoft Authenticator and Authenticator (for Windows Phone).
Attach a virtual MFA device
This topic uses the Alibaba Cloud app as an example. The steps for other TOTP-compatible apps are similar.
Prerequisites
Before you begin, make sure you meet the following requirements:
Your Alibaba Cloud account has completed identity verification. For more information, see Identity verification overview.
You have downloaded and installed the latest version of the Alibaba Cloud app on your mobile phone.
Procedure
Log on to the Account Center. Under My Account, select Security. Then, click Bind next to Virtual MFA.
On the Verify Identity page, select a method to complete the identity verification.
On the Enable MFA page, follow the on-screen instructions to download and install the Alibaba Cloud app or Google Authenticator on your mobile phone. Use the Alibaba Cloud app or Google Authenticator to get a verification code, enter the code, and then click Enable.
After the MFA device is attached, refresh the Security page. The status changes to Bound.
Detach a virtual MFA device
If you have not lost your phone and have not deleted the virtual MFA application (Alibaba Cloud app or Google Authenticator), you can detach the virtual MFA device on your PC or in the Alibaba Cloud app.
PC client
Log on to the Account Center. Under My Account, select Security. Then, click Unbind next to Virtual MFA.
Obtain a dynamic verification code from the Alibaba Cloud app. Enter the verification code in the text box shown in the following figure. Then, click Verify Now.
After the MFA device is detached, refresh the Security page. The status changes to Not Attached.
Alibaba Cloud App
If you lost your phone or accidentally deleted the MFA application (Alibaba Cloud app or Google Authenticator), you can reinstall the Alibaba Cloud app and use face recognition to quickly detach the virtual MFA device.
NoteCurrently, only individual accounts that have completed identity verification and the legal representatives of enterprise accounts that have completed identity verification can use face recognition to detach an MFA device.
Scan the QR code on your phone to download and install the Alibaba Cloud app. Open the app and click Log On/Sign Up. Confirm the agreements and terms, and then click One-click Logon With Current Phone Number.
On the Verify Virtual MFA Device page, click Detach MFA Device.
On the Identity Verification page, click Face Scan Verification. On the ID Verification Service page, click Start Authentication.
After you pass the face scan verification, the MFA device is detached.
If you cannot detach the MFA device for your Alibaba Cloud account using the preceding methods and you cannot log on, you can submit an account appeal to request to detach the virtual MFA device.
