This topic takes the Google Authenticator app as an example to describe how to enable a multi-factor authentication (MFA) device for a RAM user. After an MFA device is enabled, it provides additional security protection for your Alibaba Cloud account.


  1. Log on to the RAM console by using an Alibaba Cloud account.
    • If you have selected Required for Enable MFA when modifying the logon settings of a RAM user, the RAM user needs to go to step 5 when the RAM user logs on to the RAM console.
    • If you allow a RAM user of your Alibaba Cloud account to manage its own MFA device, the RAM user can enable an MFA device in the RAM console. The procedure is as follows: Move the pointer over the profile picture in the upper-right corner of the console, and click Security. In the left-side navigation pane, click MFA Device Management. On the page that appears, click Enable MFA Device.
  2. In the left-side navigation pane, click Users under Identities.
  3. In the User Logon Name/Display Name column, click the username of the target RAM user.
  4. On the Authentication tab, click Enable the Virtual MFA Device.
  5. Download and install the Google Authenticator app on your mobile device.
    • For iOS, install the Google Authenticator app from the App Store.
    • For Android, install the Google Authenticator app from the Google Play Store.
      Note For Android, you must install a QR code scanner from the Google Play Store for Google Authenticator to identify QR codes.
  6. Open the Google Authenticator app.
  7. Select a method to enable the MFA device from the following available options.
    • Recommended. Tap BEGIN SETUP > Scan barcode in the Google Authenticator app, and scan the QR code that is displayed on the Scan the code tab in the RAM console.
    • Tap BEGIN SETUP > Manual entry, enter the username and key, and then tap the check sign () in the Google Authenticator app.
      Note You can obtain the username and key from the Retrieve manually enter information tab in the console.
  8. Enter the two consecutive verification codes that are obtained from the Google Authenticator app, and click Enable.
    Note The verification code in the Google Authenticator app is refreshed at an interval of 30 seconds.

What to do next

When a RAM user logs on to the RAM console with the MFA device enabled, the RAM user must enter the following information:

  1. Username and password of the RAM user
  2. Verification code provided by the MFA device
Note Before you uninstall or remove an MFA device, you must log on to the Alibaba Cloud console and disable the MFA device. Otherwise, a logon failure may occur.