Enable two-factor authentication

Procedure

1. Log on to the Bastionhost console. In the top navigation bar, select the region where your Bastionhost instance is located.

2. In the list of Bastionhost instances, find the target instance and click Manage.

3. In the navigation pane on the left, click System Settings.

4. On the System Settings page, click the Two-factor Authentication tab.

5. Turn on the Enable Two-factor Authentication switch, select an Authentication Method, and then click Save.

   Parameter		Description
   Authentication Method	Text Message	Uses an SMS verification code for added security. Ensure the O&M user account has an associated mobile phone number to receive verification codes. For more information about how to add a mobile phone number for a user, see Modify the basic information about a local user.
   	Email	Uses an email verification code for added security. Ensure the O&M user account has an associated email address to receive verification codes. For more information about how to configure an email address for a user, see Modify the basic information about a local user.
   	DingTalk	Uses DingTalk for added security. Make sure that the following requirements are met: A mobile phone number has been added to the user account that is used for O&M operations. For more information, see Modify the basic information about a local user. The DingTalk administrator has created an internal application and enabled the API access permission to retrieve member information by mobile number and name. You must obtain the AppKey, AppSecret, and AgentId of the internal enterprise application.
   	OTP App	Uses an OTP token for authentication. You must download a standard Time-based One-time Password (TOTP) authenticator app, such as the Alibaba Cloud app. Then, log on to the Bastionhost O&M portal through a public endpoint. In the left-side navigation pane, click Security Settings and then click the Enable OTP tab. Click Bind OTP App, and scan the QR code to bind the OTP token. For more information about how to log on to the O&M portal, see Log on to the O&M portal.
   	SM-based USB Key	This feature, available only in the SM-compliant edition of Bastionhost, uses an SM-based USB key for added security. Before you use this authentication method, you must bind a USB key certificate to your Bastionhost instance. For more information, see Bind a USB key certificate. Note You can use this authentication method to log on to a Bastionhost instance only on a Windows operating system. Before you perform authentication, make sure that the USB key plug-in is installed. For more information, see Install the USB key plug-in.
   Language		The language of the notification message for two-factor authentication. You can select Simplified Chinese or English.
   If the two-factor code is correct, you do not need to enter the code for		Specify the time period to skip two-factor authentication after a successful verification. Valid values: 0 to 168 hours or 0 to 7 days. A default value of 0 hours requires authentication for every login. During this period, a user logging on from the same source IP address is not required to perform two-factor authentication again.

Supported countries and regions