Multi-factor authentication (MFA) adds an extra layer of protection to the authentication process. After you configure MFA, end users must provide the usernames, passwords, and dynamic codes sent by virtual MFA devices when they log on to Alibaba Cloud Workspace terminals. This topic describes how to configure MFA.
Background information
MFA is a simple and effective authentication method used to enhance security. After you activate MFA for office networks or organization IDs, Alibaba Cloud Workspace terminals require end users to go through two-level verification every time they log on.
First-level: Enter the correct username and password.
Second-level: Enter the dynamic code generated by the virtual MFA device or the verification code received via email.
Time-based One-Time Password (TOTP) is a widely used multi-factor authentication protocol. Applications on mobile phones or other devices that support TOTP are called virtual MFA devices. Several examples of virtual MFA devices are Google Authenticator and Microsoft Authenticator. When MFA is activated, end users must enter a six-digit code dynamically generated by their virtual MFA devices when they log on to Alibaba Cloud Workspace terminals. This prevents unauthorized access due to compromised passwords.
Alibaba Cloud Workspace terminals support software-based virtual MFA devices. You can install TOTP-based virtual MFA devices, such as Google Authenticator and Microsoft Authenticator, on your mobile phones.
Elastic Desktop Service (EDS) Enterprise supports the following MFA methods:
Authentication method | Applicable logon method | Applicable client type | Applicable account type |
TOTP | Both logons by organization ID and by office network ID | All | All |
Email verification code | Logons by organization ID |
| Convenience accounts and Active Directory (AD) accounts with a configured email address |
Enable MFA for an office network
Log on to the Elastic Desktop Service Enterprise console.
In the left-side navigation pane, choose .
In the top navigation bar, select a region.
On the Office Networks page, find the office network that you want to manage and click the ID of the office network.
In the Other Information section, turn on the MFA switch. In the message that appears, click OK.
NoteMake sure that the Client Logon Verification and SSO switches are turned off.
After you enable MFA for an office network, end users must enter a dynamic MFA code when they log on to Alibaba Cloud Workspace terminals in this office network.
Enable MFA for an organization ID
Log on to the Elastic Desktop Service Enterprise console.
In the left-side navigation pane, choose .
On the Security tab of the Logon Settings page, set MFA to Enable.
In the confirmation dialog box, select an authentication method.
TOTP
Use the Alibaba Cloud app or other common OTP apps, such as Google Authenticator, for two-factor authentication.
Email Verification Code
Applies only to desktop clients with version 7.6 or later and mobile clients with version 7.3 or later. Supports both convenience and AD accounts.
NoteIf an account does not have an email address associated with it, the user will be unable to complete the verification process.
After you enable MFA for an office network, end users who use the organization ID must enter a dynamic MFA code when they log on to Alibaba Cloud Workspace terminals.
Delete a virtual MFA device
After you turn on the MFA switch in the EDS Enterprise console, end users must bind virtual MFA devices to their convenience accounts the first time they log on to Alibaba Cloud Workspace terminals. If end users change their virtual MFA devices, you must delete the original devices in the EDS Enterprise console. After you delete virtual MFA devices, end users must bind new devices to their convenience accounts the next time they log on to Alibaba Cloud Workspace terminals.
Delete a virtual MFA device of a convenience user
In the left-side navigation pane, choose .
In the left-side navigation pane, choose .
On the User tab of the Users & Organizations page, find the user that you want to manage, click the ⋮ icon in the Actions column, and then click Manage MFA Device.
In the Manage MFA Device dialog box, find the MFA device that you want to delete and click Delete in the Actions column. In the message that appears, click OK.