When multi-factor authentication (MFA) is enabled, regular users must enter their password and an MFA authentication code to log on to an Elastic Desktop Service (EDS) client. This provides two-layer protection for logons and enhances account security. This topic describes how to configure MFA.

Background information

MFA is a simple and effective practice that adds an extra layer of protection on top of your username and password. When MFA is enabled, the system requires two authentication factors before a regular user can log on to a client. The first factor is the username and password. The second factor is an authentication code dynamically generated by an MFA device. These two factors provide increased security for your account.

MFA devices use the Time-based One-time Password (TOTP) algorithm to generate time-dependent 6-digit dynamic authentication codes. MFA devices can be implemented on hardware or software. EDS supports software-based virtual MFA devices. You can install software such as the Alibaba Cloud app that supports MFA on your mobile device such as your mobile phone to act as a virtual MFA device.

Perform the following steps to implement MFA:
  1. Enable MFA for a workspace in the EDS console.
  2. Bind an MFA device the first time you log on to the EDS client as a regular user.
  3. Enter the MFA security code the next time you log on to the EDS client as a regular user.

Enable MFA for a workspace

You can configure a workspace to enable or disable MFA. If MFA is enabled for a workspace, MFA is also enabled for all cloud desktops within the workspace.

  1. Log on to the EDS console.
  2. In the top navigation bar, select a region.
  3. In the left-side navigation pane, click Overview.
  4. On the Overview page, find the workspace for which you want to enable MFA and click the workspace ID.
  5. On the workspace details page, select Enable for Multi-factor Device Authentication.

Bind a virtual MFA device for a regular user

If MFA is enabled for a workspace to which the cloud desktop used by a regular user belongs, the user must bind a virtual MFA device the first time the user logs on to the client. You can install software such as the Alibaba Cloud app that supports MFA on your mobile phone to act as a virtual MFA device.
Note You can install the Alibaba Cloud app from the App Store or your preferred app store based on the operating system of your mobile phone.

Perform the following steps to bind a virtual MFA device:

  1. Double-click the Client icon icon to open the client.
  2. Enter the directory ID, select a corresponding connection method, and then click Next.
    The first time you log on to the client, you must set the directory ID and connection method. The next time you log on to the client, the system reuses the same configurations and skips this step. To change the directory, modify the logon settings.
  3. Enter your username and password and click Login.
  4. Follow the instructions displayed on the client and scan the QR code to bind a virtual MFA device.
    1. Open the Alibaba Cloud app on your mobile phone, scan the QR code displayed on the client, and then click OK.
    2. Enter the 6-digit authentication code displayed on the Virtual MFA page of the Alibaba Cloud app and click OK.
    • If you enter an invalid MFA authentication code five times in a row, the virtual MFA device cannot be bound. In this case, the system disables the virtual MFA device. You must log on to the client again and bind a virtual MFA device.
    • If you enter the valid MFA authentication code, the virtual MFA device is bound. You can log on to the cloud desktop. The next time you log on to the client, you can enter your username and password and the MFA authentication code.

Delete a virtual MFA device bound for a regular user

MFA devices can be deleted only for cloud desktops that belong to workspaces of the enterprise AD account type.

In the following scenarios, you may want to delete the bound virtual MFA device.
  • The virtual MFA device that is bound does not need to be used anymore due to reasons such as a change in the phone number.
  • The virtual MFA device that is bound is locked and unavailable.
    Note After a virtual MFA device is bound for an AD user, the MFA device is locked for 1 hour if an invalid MFA authentication code is entered five times in a row. If you want to log on to the cloud desktop during the lock period, you can call the UnlockVirtualMFADevice operation to unlock the virtual MFA device. You can also delete the virtual MFA device and bind another one.

Perform the following steps to delete a virtual MFA device:

  1. Log on to the EDS console.
  2. In the top navigation bar, select a region.
  3. In the left-side navigation pane, click Cloud Desktops.
  4. On the Cloud Desktops page, find the cloud desktop for which you want to delete a virtual MFA device, click the More icon icon in the Actions column, and then click Manage User MFA Device.
    In the dialog box that appears, you can view the usernames of users of the cloud desktop and the serial number of the virtual MFA device bound for each user.
  5. Find the virtual MFA device that you want to delete and click Delete in the Actions column. Then, click OK.
    After the virtual MFA device is deleted, the corresponding AD user must bind a virtual MFA device the next time the AD user logs on to the client.