All Products
Search
Document Center

Resource Access Management:Bind an MFA device to a RAM user

Last Updated:Jan 04, 2024

Multi-factor authentication (MFA) is a supplement to the username and password authentication model for console logons and sensitive operations. To ensure the security of a Resource Access Management (RAM) user, you can bind an MFA device to the RAM user. The MFA device can help verify the identity of the RAM user.

Background information

  • For more information about the MFA methods that are supported by RAM users and the limits, see MFA.

  • You can bind only one type of MFA device to a RAM user.

Bind a virtual MFA device

Prerequisites

Before you can bind a virtual MFA device, you must download and install the Google Authenticator app on your mobile device. You can use one of the following methods to download the Google Authenticator app:

  • For iOS, download the Google Authenticator app from the App Store.

  • For Android, download the Google Authenticator app from your preferred app store.

    Note

    For Android, you must also download and install a quick response (QR) code scanner from an app store for Google Authenticator to identify QR codes.

Binding methods

You can use one of the following methods to bind a virtual MFA device based on your business requirements:

  • You can bind a virtual MFA device by using an Alibaba Cloud account or a RAM user who has administrative rights in the RAM console.

  • If you have selected Required for Enable MFA when you create a RAM user, the RAM user is required to bind a virtual MFA device upon logon. You can select Virtual MFA Device in the Enable MFA Device dialog box and go to Step 6.

  • If a RAM user of your Alibaba Cloud account is allowed to manage its own virtual MFA device, the RAM user can bind a virtual MFA device in the RAM console. To bind a virtual MFA device, perform the following operations: Move the pointer over the profile picture in the upper-right corner of the console and click Security Information Management. On the Virtual MFA Device tab of the Console Logon page, click Enable Virtual MFA Device and go to Step 6.

Procedure

  1. Log on to the RAM console with an Alibaba Cloud account or a RAM user who has administrative rights.

  2. In the left-side navigation pane, choose Identities > Users.

  3. In the User Logon Name/Display Name column, click the username of the RAM user that you want to manage.

  4. On the page that appears, click the Authentication tab. Then, click the Virtual MFA Device tab.

  5. Click Enable Virtual MFA Device.

  6. On your mobile device, enable a virtual MFA device.

    Note

    The following example shows how to bind a virtual MFA device in the Google Authenticator app on your mobile device that runs iOS.

    1. Open the Google Authenticator app.

    2. Tap Get started and select one of the following methods to enable a virtual MFA device:

      • Tap Scan a QR code in the Google Authenticator app. Then, scan the QR code that is displayed on the Scan the code. tab in the RAM console. This method is recommended.

      • Tap Enter a setup key. Then, enter the account and key that you obtained from the QR Information tab in the RAM console, and tap Add.

  7. In the RAM console, enter the verification code that is displayed in the Google Authenticator app. Then, click Confirm Bind.

    Note

    You can also configure the Remember MFA for Seven Days parameter. If you set this parameter to Allowed, a RAM user can select Remember this machine for 7 days before you have to be authenticated again when the RAM user uses MFA during logons. If Remember this machine for 7 days before you have to be authenticated again is selected, MFA is not required within seven days. For more information, see Manage security settings of RAM users.

Bind a U2F security key

Binding methods

You can use one of the following methods to bind a U2F security key based on your business requirements:

  • You can bind a U2F security key by using an Alibaba Cloud account or a RAM user who has administrative rights in the RAM console.

  • If you have selected Required for Enable MFA when you create a RAM user, the RAM user is required to bind an MFA device upon logon. You can select U2F Security Key in the Enable MFA Device dialog box and go to Step 6.

  • If a RAM user of your Alibaba Cloud account is allowed to manage its own MFA device, the RAM user can bind a U2F security key in the RAM console. To bind a U2F security key, perform the following operations: Move the pointer over the profile picture in the upper-right corner of the console and click Security Information Management. On the U2F Security Key tab of the Console Logon page, click Enable U2F Security Key and go to Step 6.

Procedure

  1. Log on to the RAM console with an Alibaba Cloud account or a RAM user who has administrative rights.

  2. In the left-side navigation pane, choose Identities > Users.

  3. In the User Logon Name/Display Name column, click the username of the RAM user that you want to manage.

  4. On the page that appears, click the Authentication tab. Then, click the U2F Security Key tab.

  5. Click Enable U2F Security Key.

  6. On the Bind U2F Security Key page, bind the RAM user to the U2F security key.

    Note

    Before you perform the following operations, you must understand the limits on U2F security keys. For more information, see Limits.

    1. Plug the U2F security key into the USB port on your computer.

    2. Tap the button of the U2F security key.

    3. In the message that prompts you to obtain the U2F security key, click OK.

    4. In the message indicating that the U2F security key is obtained, click Confirm Bind.

What to do next

After you enable MFA and bind an MFA device to a RAM user, the RAM user must perform the following steps when the RAM user logs on to the Alibaba Cloud Management Console or perform sensitive operations:

  1. Enter the username and password of your account.

  2. Enter the verification code that is generated by the virtual MFA device. Alternatively, pass the U2F authentication.

Important
  • If you want to change the MFA device that is bound to a RAM user, you must log on to the RAM console, unbind the MFA device, and then bind the RAM user to another MFA device. For more information, see Unbind an MFA device from a RAM user.

  • If the MFA device (Google Authenticator app) is uninstalled before a RAM user disables the MFA device, or the U2F security key is lost, the RAM user cannot log on to the Alibaba Cloud Management Console. In this case, the RAM user must contact the Alibaba Cloud account to which the RAM user belongs or a RAM user who has administrative rights to log on to the RAM console and unbind the MFA device. For more information, see Unbind an MFA device from a RAM user.