Bind an MFA device for a RAM user

更新时间:
复制 MD 格式

To enhance RAM user account security, we recommend enabling multi-factor authentication (MFA) as an additional verification layer beyond a username and password. After MFA is enabled, the RAM user must complete second-factor authentication when they log on to the console or perform sensitive operations. This helps prevent security risks from compromised credentials. This topic describes how a RAM user can bind an MFA device, including a passkey, secure phone, virtual MFA device, and security email.

Note

To better protect your account and assets, Alibaba Cloud will progressively enable mandatory multi-factor authentication (MFA) at logon for all RAM users starting from August 20, 2024. For more information, see the notice.

Comparison of MFA methods for RAM users

You can choose one or more MFA methods for a RAM user based on your business requirements and security level. For more information about each MFA method, see Supported MFA methods.

MFA method

Verification method

Security level

Dependencies

Recommendations

Passkey

Biometric recognition (fingerprint/face) or device PIN

Highest

A compatible device (computer/phone) and browser, or a hardware security key. For more information, see What is a passkey?.

Ideal for use cases that require the highest level of security and a convenient, passwordless logon experience. This method verifies the device itself and uses its built-in biometrics for authentication.

Virtual MFA device

Time-based one-time password (TOTP)

High

An authenticator app on a smartphone, such as the Alibaba Cloud app or Google Authenticator.

Versatile, highly secure, and not limited by regions or carriers. This method is suitable as a primary MFA option.

Secure phone

SMS verification code

Medium

A mobile phone and carrier signal

Easy to use. You can use it as a backup for a passkey or a virtual MFA device.

Security email

Email verification code

Medium

An email service

Used as a backup verification method. When the primary MFA device is unavailable, it can be used for operation verification but not for logon authentication.

Note
  • To prevent logon failures due to device loss, damage, or app uninstallation, we strongly recommend binding at least two different types of MFA devices for each RAM user, such as a passkey and a secure phone.

  • U2F security keys have been upgraded to passkeys. If you have a U2F security key bound to your account, we recommend that you upgrade it to a passkey. For more information, see Upgrade a U2F security key to a passkey.

Configure a global MFA policy

Before a RAM user can bind an MFA device, an Alibaba Cloud account or a RAM administrator must configure a global MFA policy. This policy defines the MFA enforcement rules and allowed device types. It does not bind devices to users. Each RAM user must bind their own device individually.

After configuring the global policy, bind an MFA device as described in this topic to enable MFA. For more information about the global configuration, see Manage security settings for RAM users.

Bind a passkey

A passkey uses your device's built-in biometric recognition (fingerprint or face) or PIN for authentication, providing a seamless and highly secure passwordless experience. You need a passkey-compatible operating system and browser, or a hardware security key. For more information about the limitations and supported device types for passkeys, see What is a passkey?.

Note

We recommend that you bind passkeys on all your frequently used devices. You should also bind a secure phone as a backup to avoid being locked out when you switch to a new device.

On the logon page

When a RAM user logs on to the console for the first time, they can bind a passkey by performing the following steps:

  1. Go to the RAM user logon page, and then enter your RAM username and logon password.

  2. Select Passkey.

  3. On the Bind Passkey page, follow the on-screen instructions to complete the process. For more information, see Manage passkeys for a RAM user.

On the security page

  1. Go to the RAM user logon page and log on.

  2. In the upper-right corner, hover over your profile picture and click Security Information.

  3. In the Passkey section, click Create Passkey.

  4. On the Bind Passkey page, follow the on-screen instructions to complete the process. For more information, see Manage passkeys for a RAM user.

Bind a secure phone

On the logon page

When a RAM user logs on to the console for the first time, they can bind a secure phone number by performing the following steps:

  1. Go to the RAM user logon page, enter your RAM username and logon password, and then log on to the console.

  2. Select Text Message Verification.

  3. Enter your phone number, obtain and enter the verification code, and then click OK.

On the security page

RAM users with permission to manage their own MFA devices can bind a secure phone number. For more information about how to allow RAM users to manage their own MFA devices, see Manage security settings for RAM users.

  1. Go to the RAM user logon page and log on.

  2. In the upper-right corner, hover over your profile picture and click Security Information.

  3. In the MFA Information section, click Bind to the right of Security Phone.

  4. Enter your phone number, obtain and enter the verification code, and then click OK.

Note

The phone number in a RAM user's basic information is for reference only and is different from the bound secure phone number. Only the secure phone number can be used for second-factor authentication.

Bind a virtual MFA device

A virtual MFA device generates one-time passwords through a compatible authenticator app that supports the TOTP protocol. It is a secure and versatile MFA method. Before you start, download and install an authenticator app, such as the Alibaba Cloud app or Google Authenticator, on your mobile device.

On the logon page

When a RAM user logs on to the console for the first time, they can bind a virtual MFA device by performing the following steps:

  1. Go to the RAM user logon page, and then enter your RAM username and logon password.

  2. Select Virtual MFA Device.

  3. On your mobile device, add the virtual MFA device. The following examples show how to add a virtual MFA device by using the Alibaba Cloud app on an Android device and the Google Authenticator app on an iOS device.

    Alibaba Cloud app (Android)

    1. Log on to the Alibaba Cloud app.

    2. In the upper-right corner of the page, tap the mfa icon.

    3. In the upper-right corner, tap the + icon and choose a method to add the virtual MFA device.

      • Scan QR code (Recommended): Tap Scan QR code, scan the QR code displayed on the Bind Virtual MFA Device page in the Alibaba Cloud console, and then tap OK.

      • Add manually: Tap Add manually, enter the account and key from the Bind Virtual MFA Device page in the Alibaba Cloud console, and then tap OK.

    Google Authenticator app (iOS)

    1. Open the Google Authenticator app.

    2. Tap Get started and choose a method to add the virtual MFA device.

      • Scan a QR code (Recommended): Tap Scan a QR code and scan the QR code displayed on the Bind Virtual MFA Device page in the Alibaba Cloud console.

      • Enter a setup key: Tap Enter a setup key, enter the account and key from the Bind Virtual MFA Device page in the Alibaba Cloud console, and then tap Add.

  4. In the Alibaba Cloud console, enter the one-time password that is displayed on your mobile device, and then click OK.

On the security page

  1. Go to the RAM user logon page and log on.

  2. In the upper-right corner, hover over your profile picture and click Security Information.

  3. In the MFA Information section, click Bind VMFA to the right of MFA Device.

  4. On your mobile device, add the virtual MFA device. The following examples show how to add a virtual MFA device by using the Alibaba Cloud app on an Android device and the Google Authenticator app on an iOS device.

    Alibaba Cloud app (Android)

    1. Log on to the Alibaba Cloud app.

    2. In the upper-right corner of the page, tap the mfa icon.

    3. In the upper-right corner, tap the + icon and choose a method to add the virtual MFA device.

      • Scan QR code (Recommended): Tap Scan QR code, scan the QR code displayed on the Bind Virtual MFA Device page in the Alibaba Cloud console, and then tap OK.

      • Add manually: Tap Add manually, enter the account and key from the Bind Virtual MFA Device page in the Alibaba Cloud console, and then tap OK.

    Google Authenticator app (iOS)

    1. Open the Google Authenticator app.

    2. Tap Get started and choose a method to add the virtual MFA device.

      • Scan a QR code (Recommended): Tap Scan a QR code and scan the QR code displayed on the Bind Virtual MFA Device page in the Alibaba Cloud console.

      • Enter a setup key: Tap Enter a setup key, enter the account and key from the Bind Virtual MFA Device page in the Alibaba Cloud console, and then tap Add.

  5. In the Alibaba Cloud console, enter the one-time password that is displayed on your mobile device, and then click OK.

Note

You can also allow RAM users to remember MFA verification status for 7 days. If this feature is enabled, a RAM user can select Remember this device and do not ask for verification within 7 days during MFA. After the RAM user selects this option, they do not need to perform MFA on that device for 7 days. For information about how to configure this setting, see Manage security settings for RAM users.

Bind a security email

A security email is typically used as a backup MFA method. It provides a verification option when your primary device is unavailable.

  1. Go to the RAM user logon page and log on.

  2. In the upper-right corner, hover over your profile picture and click Security Information.

  3. In the MFA Information section, click Bind to the right of Security Email.

  4. On the Bind Email page, enter your email address, obtain and enter the verification code, and then click OK.

Note

The email address in a RAM user's basic information is for reference only and is different from the bound security email. Only the security email can be used for second-factor authentication.

Upgrade a U2F key to a passkey

If a RAM user has previously bound a U2F security key, the key can still be used. However, we recommend that you upgrade it to a passkey.

  1. Go to the RAM user logon page and log on.

  2. In the upper-right corner, hover over your profile picture and click Security Information.

  3. In the MFA Information section, click Update to Passkey to the right of MFA Device.

  4. In the Update U2F to Passkey dialog box, click OK.

    A message prompts you to perform a one-time authentication to upgrade your U2F device. After the authentication is successful, the U2F device is upgraded to a passkey and can be used for both logon authentication and MFA.

  5. On the Bind Passkey page, bind the security key. For more information, see Manage passkeys for a RAM user.

Next steps

After you enable MFA and bind an MFA device, a RAM user must provide two authentication factors when they log on to Alibaba Cloud or perform sensitive operations on the console:

  1. First factor: Enter the username and password.

  2. Second factor: Enter the verification code generated by a virtual MFA device or sent to a secure phone or security email address, or perform passkey authentication.

If you enable multiple verification methods, you can choose any one of them for verification when you log on to the console or perform sensitive operations.

Important
  • If you want to replace the MFA device for a RAM user, you must first unbind the current device before you bind a new one. For more information, see Unbind an MFA device for a RAM user.

  • If a RAM user's U2F security key is lost, or if they uninstall an MFA app such as the Alibaba Cloud app or Google Authenticator without first unbinding it, they cannot log on to Alibaba Cloud. To regain access, the user must ask an Alibaba Cloud account or a RAM administrator to unbind the device in the RAM console. For more information, see Unbind an MFA device for a RAM user.