Change description: Alibaba Cloud is committed to improving the security of cloud services and spares no effort in safeguarding user accounts and assets. Improper credential keeping can result in the leaks of logon passwords of Resource Access Management (RAM) users, which may in turn compromise resource security, incur unexpected fees, and even subject users to ransomware attacks. Multi-factor authentication (MFA) is used to prevent unauthorized logons by using leaked passwords. Starting from March 17, 2025, Alibaba Cloud RAM will gradually require all users to perform MFA multi-factor authentication when logging in with a password.

Change method: When the change takes effect, if the configuration [MFA must be used during logon] for the RAM user's Security Preference in your account is set to [Apply User-specific Configuration] or [Required Only for Unusual Logon], it will be updated to [Enable for All Users]. As a result, all RAM users under the account must bind the MFA device for secondary authentication when using the password to log on to the console. For more information about configurations, see topics What is multi-factor authentication? and Manage the security settings of RAM users.

Effective Scope: all Alibaba Cloud accounts except the following

• Alibaba Cloud accounts that use RAM for the first time at and after 10:00 a.m. July 15, 2024.
• Alibaba Cloud accounts whose MFA for RAM User Security setting is already [Enable for All Users] (The change applies but these accounts are not affected because their setting is already Enable for All Users.)
• Alibaba Cloud accounts that have enabled user single sign-on (SSO) for their RAM users (The change applies but these accounts are not affected because SSO does not require MFA.)

Release method: The change will be released in batches by account from March 17, 2025. You will be reminded of the specific time of change by email and prompts on the logon page two weeks in advance.

New rules for associated configuration: After the change takes effect, you may change the [MFA for RAM User Logons] setting after a thorough evaluation of security risks.

At the same time, the following new rules will be issued at 10:00 a.m. March 17, 2025:

• If the [MFA must be used when logging in] configuration item is selected [Required Only for Unusual Logon], all RAM users must bind an MFA device at the next logon to ensure that MFA can be performed during unusual logons.
• If the [MFA must be used when logging in] configuration item is selected [Apply User-specific Configuration], all RAM users with AdministratorAccess system policy must bind an MFA device and pass an MFA during logons. The MFA setting in the logon configurations of these RAM users becomes invalid.
• Enabled by default to allow email as a method of multi-factor authentication.

Before this change is released, you are encouraged to change the setting to [Enable for All Users] and notify your RAM users to bind an MFA device for higher security. Virtual MFA devices, Passkeys(include security keys), and Emails are supported as MFA devices. RAM users are now supported to use Passkey to log in, but it is still recommended that users bind other multi-factor authentication method as backup.

If you have any questions or need further assistance, feel free to submit a ticket or call our hotline for technical support. Thank you for your understanding and trust.