To enhance the security of RAM user accounts, we recommend that you enable multi-factor authentication (MFA) as a second layer of security in addition to usernames and passwords. After enabling MFA, RAM users must pass a second verification step when they log on to the console or perform sensitive operations. This practice effectively prevents security risks from credential leaks. This topic describes how an Alibaba Cloud account or a RAM administrator can bind a security mobile number, virtual MFA device, or security email for a RAM user in the console.
To better protect your account and assets, Alibaba Cloud will begin enforcing multi-factor authentication (MFA) for all RAM users at logon. This change will be progressively rolled out starting from August 20, 2024. For more information, see the notice.
Usage notes
-
Administrators cannot bind a passkey for a RAM user or upgrade a U2F security key to a passkey. RAM users must perform these operations themselves. For more information, see Bind an MFA device by yourself.
-
Administrators cannot bind a security mobile number from 00:00 to 06:00 daily due to carrier policies.
-
After an administrator binds a mobile number or email address, the user must complete the verification by clicking the activation link.
-
A single security mobile number or security email can be bound to a maximum of five RAM users.
The mobile number and email address in the Basic Information section of a RAM user are for contact purposes only and are different from the security mobile number and security email used for MFA verification.
MFA method comparison
You can select one or more MFA methods for a RAM user based on your business requirements and security level. For more information about each MFA method, see MFA methods supported by RAM.
|
MFA method |
Verification method |
Security level |
Dependencies |
Recommendations |
|
Passkey |
Biometrics (fingerprint or facial recognition) or device PIN |
Highest |
A passkey-compatible device (computer or smartphone) and browser, or a hardware security key |
Ideal for maximum security and passwordless sign-in. Verifies device authenticity combined with built-in biometric authentication. Must be bound by the RAM user. For more information, see Bind an MFA device for a RAM user. |
|
Virtual MFA device |
Dynamic verification code (TOTP) |
High |
An authenticator app on a smartphone, such as the Alibaba Cloud app or Google Authenticator. |
Highly versatile and secure. Not restricted by region or carrier. Recommended as the primary MFA method. |
|
Security mobile number |
SMS verification code |
Medium |
Mobile phone and carrier signal |
Easy to use. Can be used as a backup option for a passkey or a virtual MFA device. |
|
Security email |
Email verification code |
Medium |
Email service |
Used as a backup verification method. Can be used for operation verification, but not for logon verification. |
-
To avoid losing access to your account from a lost or damaged device or an uninstalled app, we strongly recommend that you bind at least two different types of MFA devices for each RAM user, such as a passkey and a security mobile number.
-
U2F devices have been upgraded to passkeys. If you have a U2F device bound to a user, we recommend that you upgrade it to a passkey. For more information, see Upgrade a U2F security key to a passkey.
Configure a global MFA policy
Before you can bind an MFA device for a RAM user, an Alibaba Cloud account or a RAM administrator must configure a global MFA policy. This policy defines the rules for enabling MFA and the allowed device types. However, you cannot use this policy to bind devices to users in bulk. You must still bind a device to each RAM user individually.
After completing the global configuration, you must bind an MFA device by using one of the methods described in this topic to activate MFA. For information about how to perform the global configuration, see Configure MFA.
Bind a security mobile number
Due to carrier policies, an Alibaba Cloud account or a RAM administrator cannot bind a security mobile number for a RAM user in the RAM console from 00:00 to 06:00 daily. You cannot receive verification SMS messages during this period.
-
Log on to the RAM console as an Alibaba Cloud account or a RAM user with the
AliyunRAMFullAccesspermission. -
In the left-side navigation pane, choose Identities > Users.
-
In the User Login Name/Display Name column, click the name of the target RAM user.
-
On the Authentication tab, in the MFA Information section, click Security Phone to the right of Edit.
-
In the Edit Security Mobile Number dialog box, enter the security mobile number and click OK.
-
In the Send Activation Link dialog box, confirm that the mobile number is correct and click Send Activation Link.
-
Click the activation link on the mobile phone to complete the verification. The link is valid for 24 hours. If it expires, you must send a new one.
The mobile number in a RAM user's basic information is for contact purposes only and is different from the security mobile number used for MFA. Only the security mobile number can be used for MFA.
Bind a virtual MFA device
A virtual MFA device generates dynamic verification codes through a TOTP-compatible authenticator app. It is the most secure and versatile MFA method. Before you begin, download and install a virtual MFA app, such as the Alibaba Cloud app or Google Authenticator, on your mobile phone.
-
Log on to the RAM console as an Alibaba Cloud account or a RAM user with the
AliyunRAMFullAccesspermission. -
In the left-side navigation pane, choose Identities > Users.
-
In the User Login Name/Display Name column, click the name of the target RAM user.
-
On the Authentication tab, in the MFA Information section, copy the Bind VMFA and open the link in a browser.
-
On your mobile device, add a virtual MFA device. The following examples show how to add a device by using the Alibaba Cloud app for Android and the Google Authenticator app for iOS.
Alibaba Cloud app (Android)
-
Log on to the Alibaba Cloud app.
-
In the upper-right corner of the page, tap the
icon. -
In the upper-right corner, tap the + icon and select a method to add the virtual MFA device.
-
Scan QR Code (Recommended): On your mobile device, tap Scan QR Code, scan the QR code on the virtual MFA binding page in the Alibaba Cloud console, and then tap OK.
-
Enter Manually: On your mobile device, tap Enter Manually, enter the account and key from the virtual MFA binding page in the Alibaba Cloud console, and then tap OK.
-
Google Authenticator app (iOS)
-
Log on to the Google Authenticator app.
-
Tap Get started and select a method to add the virtual MFA device.
-
Scan QR Code (Recommended): Tap Scan a QR code and scan the QR code on the virtual MFA binding page in the Alibaba Cloud console.
-
Enter Manually: Tap Enter a setup key, enter the account and key from the virtual MFA binding page in the Alibaba Cloud console, and then tap Add.
-
-
-
In the Alibaba Cloud console, enter the one-time password that is displayed on your mobile device, and then click OK.
You can also set whether to allow RAM users to Remember MFA status for 7 days. If allowed, RAM users can select Trust this device and skip MFA for 7 days during MFA verification. After this option is selected, the same RAM user does not need to perform MFA verification again for 7 days. For more information about how to configure this setting, see Manage RAM user security settings.
Bind a security email
A security email is typically used as a backup MFA method, providing a verification option when your primary device is unavailable.
-
Log on to the RAM console by using an Alibaba Cloud account or as a RAM administrator.
-
In the left-side navigation pane, choose .
-
In the Logon Name/Display Name column, click the name of the target RAM user.
-
On the Authentication tab, in the MFA Information section, click Edit to the right of Security Email.

-
In the Edit Security Email dialog box, enter the security email address and click OK.

-
In the Send Activation Link dialog box, confirm that the email address is correct and click Send Activation Link.
-
Open the email and click the activation link to complete the verification. The link is valid for 24 hours. If it expires, you must send a new one.
The email address in a RAM user's basic information is for contact purposes only and is different from the security email used for MFA. Only the security email can be used for MFA.
FAQ
Using one device for multiple accounts
Yes. An authenticator app on a single smartphone, such as the Alibaba Cloud app or Google Authenticator, can be used to bind a virtual MFA device for multiple Alibaba Cloud accounts, including Alibaba Cloud accounts and RAM users. Each account appears as a separate entry in the app and does not affect the others.
Next steps
After you enable MFA and bind an MFA device, a RAM user must provide two authentication factors when they log on to Alibaba Cloud or perform sensitive operations on the console:
First factor: Enter the username and password.
Second factor: Enter the verification code generated by a virtual MFA device or sent to a secure phone or security email address, or perform passkey authentication.
If multiple verification methods are enabled, the RAM user can choose any one of them for verification when they log on to the console or perform sensitive operations.
-
If you need to replace a RAM user's MFA device, unbind the current device before you bind the new one. For more information, see Unbind an MFA device from a RAM user.
-
If a RAM user uninstalls an MFA app, such as the Alibaba Cloud app or Google Authenticator, or loses their U2F security key without first unbinding the device, they cannot log on to Alibaba Cloud. In this case, the RAM user must contact the Alibaba Cloud account owner or a RAM administrator to unbind the MFA device from the RAM console. For more information, see Unbind an MFA device from a RAM user.