DocsICP FilingConsole
官方文档
首页

Manage passkeys for RAM users

更新时间:
复制 MD 格式
产品详情
我的收藏

Passkey authentication first verifies the device binding to confirm it is legitimate, and then uses its built-in biometrics, such as a fingerprint, face ID, or PIN, to verify your identity.

What is a passkey?

A passkey is a new, passwordless authentication method that lets you use your device's built-in fingerprint reader, facial recognition, or screen lock PIN to securely and conveniently log on to Alibaba Cloud as a RAM user. You can also use a passkey as a form of multi-factor authentication (MFA). A passkey is based on the FIDO2 standard and uses public key cryptography. When you create a passkey, your device generates a key pair:

  • A private key is stored only on your local device and is never uploaded or exposed. It acts as your unique key.

  • A public key is stored by Alibaba Cloud and acts as the lock.

When you log on or authenticate, Alibaba Cloud uses the public key to send an authentication challenge to your device. Only the local private key, combined with your biometric verification, can unlock it. The entire process requires no password entry, as the verification is handled automatically between Alibaba Cloud services and your device. Your biometric information never leaves your device, which improves account security and simplifies signing in.

Why use a passkey?

  • Phishing-resistant: Each passkey is bound to a specific website. This means it cannot be used on fraudulent or look-alike sites, preventing phishing attacks.

  • No passwords to remember: Eliminates the risks associated with weak, reused, or improperly stored passwords.

  • Fast and convenient: With biometrics, logging on is significantly faster than using traditional passwords or verification codes.

  • Simplified multi-factor authentication: A passkey is inherently multi-factor, which streamlines authentication by removing extra steps like entering a verification code.

Limitations

  • A RAM user can bind a maximum of five passkeys. We recommend that you bind passkeys on all your frequently used devices and set up a security mobile number as a backup method to prevent account lockout if you lose or change devices.

  • Each passkey bound to a RAM user must have a unique name to help you distinguish between different devices.

What devices support passkeys?

Ensure that your device and software meet the following version requirements:

Browser versions

  • Google Chrome: 108 or later.

  • Microsoft Edge: 108 or later.

  • Safari: 16.1 or later.

  • Firefox: 122 or later.

Computers

  • Windows 10 and Windows 11 support saving passkeys locally and authenticating with Windows Hello.

  • macOS Ventura 13 or later supports saving passkeys in iCloud Keychain, which allows them to sync across your devices. Ensure all devices meet the system version requirements.

  • You can save passkeys in a supported browser, such as Google Chrome or Microsoft Edge, to sync them across multiple devices.

Mobile devices

  • iOS 14.5 or later supports saving passkeys locally on the device. iOS 16 or later supports saving passkeys in iCloud Keychain for syncing across devices.

  • iOS 14.5 or later supports saving passkeys in a supported mobile browser.

  • Due to customizations made by manufacturers to the Android operating system, many Android phones do not natively support passkeys. We recommend saving passkeys using the Google Chrome browser.

  • When you initiate passkey binding on a computer and scan a QR code to save a passkey on a mobile device, iOS 14.5 or later supports saving it locally. For other iOS versions or Android devices, we recommend using the Google Chrome browser to save the passkey.

Other devices

  • FIDO2-compliant security keys are supported. These devices can connect to your computer or mobile device via a USB port, Bluetooth, or NFC. U2F devices can be upgraded to work as security keys.

Bind a passkey for a RAM user

You can bind and store a passkey for a RAM user on a computer. You can use the computer's fingerprint reader, facial recognition, or PIN for authentication. You can also scan a QR code to bind a passkey on a mobile device, or bind a FIDO2-compliant security key.

Logon page

When a RAM user logs on to the console for the first time, they can bind a passkey.

  1. Go to the RAM user logon page, and enter the RAM username and logon password.

  2. Select Passkey.

  3. On the Bind passkey page, enter a name for the passkey and click Bind.

    The passkey name helps distinguish between multiple devices. The passkey name must be unique for the RAM user. You can change the name later.

  4. Your device's authentication prompt appears. Follow the on-screen instructions to select your computer, a mobile device, or an external security key to complete the binding.

  5. Review the binding result.

    On the Passkey page, the newly created passkey appears in the list. You can view its Passkey Name, Passkey ID, Creation Time, and Last Used. To remove the passkey, click Delete in the Actions column.

Security information page

  1. Log on to the Alibaba Cloud console as a RAM user by visiting the RAM user logon page.

  2. Hover over your profile picture in the upper-right corner and click Logon Security.

  3. In the Passkey section, click Create Passkey.

  4. Enter a name for the passkey and click Bind.

    The passkey name helps distinguish between multiple devices. The passkey name must be unique for the RAM user. You can change the name later.

  5. Your device's authentication prompt appears. Follow the on-screen instructions to select your computer, a mobile device, or an external security key to complete the binding.

  6. Review the binding result.

    The newly bound passkey appears in the passkey list. You can view its Passkey Name, Passkey ID, Creation Time, and Last Used. To remove the passkey, click Delete in the Actions column.

Remove a passkey

You should remove a passkey if you replace or lose a device, or if you no longer need to use it.

  1. Log on to the Alibaba Cloud console as a RAM user by visiting the RAM user logon page.

  2. Hover over your profile picture in the upper-right corner and click Logon Security.

  3. In the Passkey section, find the passkey that you want to remove and click Delete in the Actions column.

  4. In the Delete Passkey dialog box, click OK.

Log on with a passkey

A passkey provides a secure, password-free way to log on by verifying your identity with your device's built-in security features, such as a fingerprint, face scan, or PIN.

Prerequisites

  • Enabled by an administrator: A RAM administrator must allow RAM users to log on with a passkey in the global security settings. By default, Alibaba Cloud has this option enabled for Alibaba Cloud accounts. To change this setting:

    1. Log on to the RAM console by using an Alibaba Cloud account or as a RAM user with RAM administrator permissions (the AliyunRAMFullAccess policy).

    2. On the Settings page, in the Security section, click Modify.

      p1042491 (1)

    3. In the Global Security dialog box, enable Allow users to login with passkey.

  • Registered by the user: You must have registered a passkey, such as Touch ID or Windows Hello, in your personal security settings. For more information, see Manage passkeys for a RAM user.

Procedure

  1. Go to the RAM User Logon page.

  2. On the RAM User Logon tab, enter your username and click Next. The username is typically in one of the following formats: <RAM-username>@<default-logon-suffix> or <RAM-username>@<custom-logon-suffix>. For more information about how to view and change your logon suffixes, see Manage the logon settings for a RAM user.

    p1042440

  3. Click Passkey Logon. If passkey logon fails, you can click Logon Using Password to use your password instead.

    p1042497

  4. Your browser displays a security prompt for verification. If you registered multiple passkeys, select the one that you want to use.

  5. After completing the verification, you are logged on.

Previous:Manage RAM user logon domainsNext:Bind or unbind a RAM user's DingTalk account