Bastionhost:Enable two-factor authentication

Prerequisites

• If you select Text Message for the Authentication Method parameter when you enable two-factor authentication, you must specify the mobile phone number of the user who wants to perform O&M operations. If you do not specify the mobile phone number, the user cannot receive verification codes. For more information, see Modify the information about a user.

• If you select Email for the Authentication Method parameter when you enable two-factor authentication, you must specify the email address of the user who wants to perform O&M operations. If you do not specify the email address, the user cannot receive verification codes. For more information, see Modify the information about a user.

• If you select DingTalk for the Authentication parameter when you enable two-factor authentication, make sure that the following requirements are met:

  • The mobile phone number of the user who wants to perform O&M operations is specified. For more information, see Modify the information about a user.

  • An internal enterprise application is created by the DingTalk administrator, and the operation that is used to obtain member information based on the mobile phone numbers and names of the members is activated for the application.

  • The values of AppKey, AppSecret, and AgentId of the internal enterprise application are obtained.

• If you select OTP App for the Authentication Method parameter when you enable two-factor authentication, you must download an app that supports time-based one-time password (TOTP). Bastionhost allows two-factor authentication from TOTP authenticator apps, such as the Alibaba Cloud app. This way, you can log on to the O&M portal by using the public O&M address of your bastion host, and use the app to scan the quick response (QR) code that is displayed to bind the app to your bastion host.

Procedure

1. Log on to the console of a bastion host. For more information, see Log on to the console of a bastion host.

2. In the left-side navigation pane, click System Settings.

3. On the System Settings page, click the Two-factor Authentication tab.

4. Turn on Enable Two-factor Authentication, set Authentication Method to Text Message, Email, DingTalk, or OTP App, and configure other parameters. Then, click Save.

   If you select DingTalk for Authentication Method, you must configure AppKey, AppSecret, and AgentId of the internal enterprise application.

   If you select OTP App for Authentication Method, you must download a TOTP authenticator app, such as the Alibaba Cloud app. Then, log on to the O&M portal by using the public O&M address of your bastion host. In the left-side navigation pane, click Security Settings. On the page that appears, click the Enable OTP tab. Then, click Bind OTP App. The system displays a QR code. Use the app to scan the QR code to bind the app with your bastion host. For more information about how to log on to the O&M portal, see Log on to the O&M portal.

   For more information about how to obtain the O&M addresses of a bastion host, see Homepage overview of a bastion host.

Supported countries and areas