After you enable multi-factor authentication (MFA), end users must provide a dynamic code or a verification code in addition to their username and password when they log on to a Wuying Workspace terminal. This adds an extra layer of security. This topic explains how to enable MFA.
Background
MFA is a simple and effective security practice. After you enable MFA at the office network or organization ID level, the system verifies two factors each time a user logs on:
First factor: The end user's username and password.
Second factor: A dynamic code from a virtual MFA device or a verification code sent via SMS or email.
NoteVirtual MFA: The Time-based One-Time Password (TOTP) algorithm is a widely adopted multi-factor authentication protocol. Applications on a mobile phone or another device that support TOTP, such as the Alibaba Cloud App, Google Authenticator, and Microsoft Authenticator, are known as virtual MFA devices. If you enable a virtual MFA device, Alibaba Cloud requires you to enter the 6-digit dynamic code generated by the application when you log on. This prevents unauthorized logins that may result from a stolen password.
Elastic Desktop Service (EDS) Enterprise supports these MFA methods:
Authentication method | Scope | Client types | Account types |
TOTP | organization ID and office network | All | All |
SMS verification code | organization ID |
| convenience accounts and AD accounts (must have a phone number configured) |
email verification code | organization ID |
| convenience accounts and AD accounts (must have an email address configured) |
Enable MFA for an office network
Log on to the Elastic Desktop Service Enterprise console.
In the left-side navigation pane, choose .
In the top navigation bar, select a region.
On the Office Networks page, click the Office Network ID of the target office network.
In the More Information section at the bottom of the page, turn on the MFA switch and click OK in the confirmation dialog box.
NoteEnsure that Client Logon Verification and SSO are disabled.
After you enable MFA, users in this office network must enter a dynamic code when logging on to a Wuying Workspace terminal.
Enable MFA for an organization ID
Log on to the Elastic Desktop Service Enterprise console.
In the left-side navigation pane, choose .
On the Security tab of the Logon page, set MFA to Enabled.
In the confirmation dialog box, select an authentication method.
TOTP
Uses a TOTP-compliant app, such as Google Authenticator, for second-factor authentication.
SMS verification code
This method is effective only for desktop clients V7.6 or later and mobile clients V7.3 or later. It applies to convenience accounts and AD accounts.
NoteIf a phone number is not configured for the account, the user cannot complete the verification.
email verification code
This method is effective only for desktop clients V7.6 or later and mobile clients V7.3 or later. It applies to convenience accounts and AD accounts.
NoteIf an email address is not configured for the account, the user cannot complete the verification.
After you enable MFA, users in this organization ID must enter the dynamic code or verification code for the selected authentication method when they log on to a Wuying Workspace terminal.
Delete an MFA device
After you enable TOTP-based MFA in the console, end users must bind a virtual MFA device on their first logon. If a user replaces their virtual MFA device, you can delete the old one in the console. The next time the user logs on, they will be prompted to bind a new virtual MFA device.
Convenience account
In the left-side navigation pane, choose .
In the left-side navigation pane, choose .
On the User Management page, on the User tab, find the target user, click the ⋮ icon in the Actions column, and select Manage MFA Device.
In the Manage MFA Device dialog box, find the virtual MFA device that you want to delete, click Delete in the Actions column, and then click OK.