This topic describes how to enable a multi-factor authentication (MFA) device for a Resource Access Management (RAM) user. Virtual MFA devices and Universal 2nd Factor (U2F) security keys are two types of MFA devices. After you enable an MFA device, it provides higher security protection for the RAM user.

Note You can enable only one type of MFA device for a RAM user.

Enable a virtual MFA device

Before you can enable a virtual MFA device, you must download and install the Google Authenticator app on your mobile device. You can use one of the following methods to download the Google Authenticator app:

  • For iOS, download the Google Authenticator app from the App Store.
  • For Android, download the Google Authenticator app from your preferred app store.
    Note For Android, you must also download and install a quick response (QR) code scanner from an app store for Google Authenticator to identify QR codes.
  1. Log on to the RAM console by using your Alibaba Cloud account or a RAM user that has administrative rights.
    Note
    • If you have selected Required for Enable MFA when you create a RAM user, you are required to bind an MFA device upon the logon of the RAM user. You can select Virtual MFA Device in the Enable MFA Device dialog box and go to Step 6.
    • If a RAM user of your Alibaba Cloud account is allowed to manage its own MFA device, the RAM user can enable the MFA device in the RAM console. To enable an MFA device, perform the following operations: Move the pointer over the profile picture in the upper-right corner of the console and click Security Information Management. On the Virtual MFA Device tab, click Enable Virtual MFA Device.
  2. In the left-side navigation pane, choose Identities > Users.
  3. In the User Logon Name/Display Name column, click the username of the RAM user for which you want to enable a virtual MFA device.
  4. On the page that appears, click the Authentication tab. Then, click the Virtual MFA Device tab.
  5. Click Enable the Virtual MFA Device.
  6. On your mobile device, enable a virtual MFA device.
    Note The following example shows how to enable a virtual MFA device in the Google Authenticator app on your mobile device that runs iOS.
    1. Open the Google Authenticator app.
    2. Click Get started and select one of the following methods to enable a virtual MFA device:
      • Tap Scan a QR code in the Google Authenticator app. Then, scan the QR code that is displayed on the Scan the code. tab in the RAM console. This method is recommended.
      • Tap Enter a setup key. Then, enter the account and key that you obtained from the Retrieve manually enter information. tab in the RAM console, and tap Add.
  7. In the RAM console, enter the two consecutive verification codes that are displayed in the Google Authenticator app. Then, click Enable.
    Note Verification codes in the Google Authenticator app are updated at an interval of 30 seconds.

Enable a U2F security key

  1. Log on to the RAM console by using your Alibaba Cloud account or a RAM user that has administrative rights.
    Note
    • If you have selected Required for Enable MFA when you create a RAM user, you are required to bind an MFA device upon the logon of the RAM user. You can select U2F Security Key in the Enable MFA Device dialog box and go to Step 6.
    • If a RAM user of your Alibaba Cloud account is allowed to manage its own MFA device, the RAM user can enable the MFA device in the RAM console. To enable an MFA device, perform the following operations: Move the pointer over the profile picture in the upper-right corner of the console and click Security Information Management. On the U2F Security Key tab, click Enable U2F Security Key.
  2. In the left-side navigation pane, choose Identities > Users.
  3. In the User Logon Name/Display Name column, click the username of the RAM user for which you want to enable a U2F security key.
  4. On the page that appears, click the Authentication tab. Then, click the U2F Security Key tab.
  5. Click Enable U2F Security Key.
  6. On the Bind U2F Security Key page, bind the RAM user to the U2F security key.
    Note Before you perform the following operations, you must understand the limits on U2F security keys. For more information, see Limits.
    1. Plug the U2F security key into the USB port on your computer.
    2. Tap the button of the U2F security key.
    3. In the message that prompts you to obtain the U2F security key, click OK.
    4. In the message indicating that the U2F security key is obtained, click Confirm.

What to do next

After you enable the MFA device and use the RAM user to log on the Alibaba Cloud Management Console again, the console prompts you to perform the following operations:

  1. Enter the username and password of the RAM user.
  2. Enter the verification code that is generated by the virtual MFA device. Alternatively, pass the U2F authentication.
Note
  • If you want to change the type of MFA device that is bound to a RAM user, you must log on to the RAM console, disable the MFA device, and then bind the RAM user to another MFA device. For more information, see Disable an MFA device for a RAM user.
  • If the virtual MFA device is uninstalled before you disable the MFA device, or your U2F security key is lost, you cannot log on to the Alibaba Cloud Management Console. If this happens, you must use your Alibaba Cloud account or the RAM user that has administrative rights to log on to the RAM console and disable the MFA device. Then, bind the RAM user to an MFA device. For more information, see Disable an MFA device for a RAM user.