This topic answers frequently asked questions about multi-factor authentication (MFA). It covers common issues such as verification code errors, authentication failures, replacing an MFA device, enforcing or disabling MFA, and issues with secure phones and security email addresses.
Verification code error during MFA binding
MFA is time-based. Ensure the time on your mobile device is synchronized.
The verification code on your MFA device refreshes every 30 seconds. Make sure you enter the latest, unused code.
The QR code (key) can expire if you leave the binding page open for too long. Refresh the page and scan the new QR code.
If you scan the QR code on the binding page multiple times, your MFA device may show multiple entries for the same username, each with a different verification code. This can cause authentication to fail. Before binding, check your MFA device for duplicate entries. If you find any, delete them before you scan the new QR code to avoid confusion.
Rebind the MFA device. The procedure varies by account type:
Rebind the MFA device for an Alibaba Cloud account.
Unbind the MFA device.
For details, see Unbind a virtual MFA device.
Rebind the MFA device.
For details, see Bind or unbind a virtual MFA device.
Rebind the MFA device for a RAM user.
If the owner of the Alibaba Cloud account allows RAM users to manage their own MFA devices, a RAM user can unbind and rebind the device independently. Otherwise, the RAM user must contact the owner of the Alibaba Cloud account or a RAM administrator for assistance.
Unbind the MFA device.
For details, see Unbind an MFA device for a RAM user.
Rebind the MFA device.
For details, see Bind an MFA device as a RAM user.
If the issue persists, submit a ticket. In the ticket, provide screenshots of the error page and the time displayed on your mobile device, the account name, and the timestamp of the operation.
MFA authentication failure during sign-in
MFA is time-based. Ensure the time on your mobile device is synchronized.
Verify that the verification code you entered is for the correct account and is the latest, unused code.
If you replaced the MFA device, ensure you are using the verification code from the newly bound device.
Rebind the MFA device. The procedure varies by account type:
Rebind the MFA device for an Alibaba Cloud account.
Unbind the MFA device.
For details, see Unbind a virtual MFA device.
Rebind the MFA device.
For details, see Bind or unbind a virtual MFA device.
Rebind the MFA device for a RAM user.
If the owner of the Alibaba Cloud account allows RAM users to manage their own MFA devices, a RAM user can unbind and rebind the device independently. Otherwise, the RAM user must contact the owner of the Alibaba Cloud account or a RAM administrator for assistance.
Unbind the MFA device.
For details, see Unbind an MFA device for a RAM user.
Rebind the MFA device.
For details, see Bind an MFA device as a RAM user.
If the issue persists after you try these solutions, you can submit a ticket. In the ticket, provide screenshots of the time displayed on your mobile device, the name of the account being authenticated, and the operation timestamp.
Authenticator app deleted or device lost
For an Alibaba Cloud account: On the identity verification page, follow the on-screen instructions to submit an appeal.
For a RAM user: Contact the owner of the Alibaba Cloud account or a RAM administrator to disable MFA for the RAM user. For details, see How do I disable MFA for a RAM user's console sign-in?.
Replace an MFA device
To replace the MFA device for an Alibaba Cloud account or a RAM user, for example, to move the authenticator app from one phone to another, follow these steps.
Replace MFA device for an Alibaba Cloud account
Log on to the Account Center.
Unbind the MFA device on Phone A.
For details, see Unbind a virtual MFA device.
Rebind the MFA device on Phone B.
For details, see Bind or unbind a virtual MFA device.
Replace MFA device for a RAM user
If the owner of the Alibaba Cloud account allows RAM users to manage their own MFA devices, a RAM user can unbind and rebind the device independently. Otherwise, the RAM user must contact the owner of the Alibaba Cloud account or a RAM administrator for assistance. For information about how to allow RAM users to manage their own MFA devices, see Manage security settings for RAM users.
Log on to the RAM console.
Unbind the MFA device on Phone A.
For details, see Unbind an MFA device for a RAM user.
Rebind the MFA device on Phone B.
For details, see Bind an MFA device as a RAM user.
Enforce MFA for RAM user sign-in
The owner of an Alibaba Cloud account or a RAM administrator can modify user security settings and console logon settings to enforce MFA for RAM users. Choose one of the following methods based on your needs:
Require all RAM users to use MFA
In the user security settings, set MFA for RAM user sign-in to Force all users. For details, see Manage security settings for RAM users.
Require specific RAM users to use MFA
In the user security settings, set MFA for RAM user sign-in to Depend on each user.
For details, see Manage security settings for RAM users.
In the console logon settings for the RAM user, set MFA Required to Required.
For details, see Create a RAM user or Manage console logon settings for a RAM user.
After applying these settings, RAM users must bind an MFA device at their next sign-in. After successfully binding a device, they must enter a verification code for all subsequent sign-ins. For details about how to bind an MFA device, see Bind an MFA device as a RAM user.
Disable MFA for RAM user sign-in
Disabling MFA for a RAM user reduces account security. We recommend that you fully assess the security risks of password compromise before you disable MFA.
To better protect your account and assets, this feature will be gradually rolled out by account UID starting August 26, 2024. RAM users with the AdministratorAccess system permission must use MFA for sign-in. MFA cannot be disabled for these users. For more information, see the Notice.
Unbinding an MFA device is not the same as disabling MFA. To disable MFA for a RAM user's console sign-in, you must modify the user security settings and console logon settings.
As an Alibaba Cloud account owner or a RAM administrator, modify the user security settings for the RAM user.
In the user security settings, set MFA for RAM user sign-in to Depend on each user or Required Only for Unusual Logon. For details, see Manage security settings for RAM users.
Depend on each user: MFA requirements are set for each user individually. You must proceed to the next step.
Required Only for Unusual Logon: MFA is enforced only in untrusted sign-in environments, such as when the sign-in location or device changes. Otherwise, MFA is not required.
As an Alibaba Cloud account owner or a RAM administrator, modify the console logon settings for the RAM user.
In the console logon settings for the RAM user, set MFA Required to Not Required. For details, see Manage console logon settings for a RAM user.
Binding limit reached for secure phone or email
Each phone number or email address can be bound to a maximum of five RAM users. If this limit is reached, you must either unbind it from an existing user to free up a slot, or use a new one.
Activation link request limit
The activation link for each phone number or email address is valid for 24 hours and does not need to be requested repeatedly. If you are rate-limited, wait 1 or 15 minutes before trying again.
Secure phone or email method not appearing
To use a secure phone or security email address for verification, you must bind the phone number or email address and then enable the method in the user security settings. For details, see Manage security settings for RAM users.
Incorrect binding, lost device, or compromised account
Contact the owner of the Alibaba Cloud account or a RAM administrator to unbind the MFA device for the RAM user. For details, see Unbind an MFA device for a RAM user.
Not receiving SMS for secure phone
Check that your mobile phone has an active service, no overdue payments, and a stable signal.
Check if your phone has blocked numbers from Alibaba Cloud, and check your blocked messages or spam folder.
Not receiving email for security email
Verify that the bound email address is correct.
Check your spam folder in case the email was identified as spam.