All Products
Search

This Product

    WUYING Workspace:Configure MFA

    Document Center

    WUYING Workspace:Configure MFA

    Last Updated:Apr 09, 2024

    Multi-factor authentication (MFA) adds an extra layer of protection to the authentication process. After you configure MFA, end users must provide both the username and password combinations and the verification codes sent by virtual MFA devices when they log on to WUYING terminals. This topic describes how to configure MFA.

    Background information

    MFA is a simple and effective authentication method designed to enhance security. After you configure MFA for an office network, end users must bind virtual MFA devices to their on-premises devices upon their first logon to WUYING terminals. Then, the system verifies user identities based on the following two factors:

    • First factor: the username and password combination

    • Second factor: the verification code generated by the virtual MFA device

    Note

    Time-based One-Time Password (TOTP) is a widely used multi-factor authentication protocol. Applications on mobile phones or other devices that support TOTP are called virtual MFA devices. For example, the Alibaba Cloud app and the Google Authenticator app are virtual MFA devices. If end users bind virtual MFA devices to their on-premises devices, Alibaba Cloud requires them to present a 6-digit verification code generated by the virtual MFA devices upon their logon to verify their identities. This effectively prevents unauthorized access caused by password theft.

    WUYING Workspace (Pro Edition) supports software-based virtual MFA devices. You can install virtual MFA devices such as the Alibaba Cloud app on your mobile phone.

    Enable MFA for an office network

    1. Log on to the WUYING Workspace (Pro Edition) console.

    2. In the left-side navigation pane, choose Network & Storage > Office Network (Formerly Workspace).

    3. In the upper-left corner of the top navigation bar, select a region.

    4. On the Office Network (Formerly Workspace) page, find the desired office network and click its ID.

    5. In the upper-right corner of the Other section, click Show and turn on the MFA switch.

      Note

      Make sure that the Client Logon Verification and SSO switches are turned off.

    After you enable MFA for the office network, end users must provide an MFA verification code when they connect to cloud computers in the office network from WUYING terminals.

    Unbind a virtual MFA device

    After you turn on the MFA switch in the WUYING Workspace Pro Edition console, end users must bind virtual MFA devices to their on-premises devices the first time they log on to WUYING terminals. After end users change their virtual MFA devices, you must delete the original devices in the WUYING Workspace Pro Edition console. After you delete virtual MFA devices, end users must bind new devices upon their next logon to WUYING terminals.

    Delete a virtual MFA device of a convenience user

    1. In the left-side navigation pane, choose Users & Logons > Users & Organizations.

    2. On the User tab of the Manage User page, find the desired end user and click the icon in the Actions column. Then, select Manage User MFA Device.

    3. In the Manage User MFA Device dialog box, find the desired virtual MFA device and click Delete in the Actions column. Then, click OK.

    Delete a virtual MFA device of an enterprise AD user

    Delete a virtual MFA device of an enterprise active directory (AD) user in an office network

    1. In the left-side navigation pane, choose Resources & Terminals > Cloud Computers.

    2. In the upper-left corner of the top navigation bar, select a region.

    3. On the Cloud Computers page, find the desired cloud computer and click the ⋮ icon in the Actions column. Then, select Manage User MFA Device.

    4. In the Manage User MFA Device panel, follow the instructions to delete the virtual MFA device.

    Note

    If you enabled MFA for an office network and enterprise AD users have bound virtual MFA devices upon their first logon to WUYING terminals, the system locks the virtual MFA devices for 1 hour after 10 failed logon attempts of the enterprise AD users. During the lockup period, if enterprise AD users want to log on to WUYING terminals, you can call the UnlockVirtualMFADevice operation to unlock the virtual MFA devices. Alternatively, you can call the DeleteVirtualMFADevice operation to delete the virtual MFA devices and ask the enterprise AD users to bind new virtual MFA devices.