All Products
Search
Document Center

Resource Access Management:Bind an MFA device to an Alibaba Cloud account

Last Updated:Jan 30, 2024

This topic uses the Google Authenticator app as an example to describe how to bind a multi-factor authentication (MFA) device to an Alibaba Cloud account. After an MFA device is bound, the MFA device provides additional security protection for your Alibaba Cloud account.

Prerequisites

The Google Authenticator app is downloaded and installed on your mobile device. You can use one of the following methods to download the Google Authenticator app:

  • For iOS, download the Google Authenticator app from the App Store.

  • For Android, download the Google Authenticator app from your preferred app store.

    Note

    For Android, you must also download and install a quick response (QR) code scanner from an app store for Google Authenticator to identify QR codes.

Procedure

  1. Log on to the Alibaba Cloud Management Console with an Alibaba Cloud account.

  2. Move the pointer over the profile picture in the upper-right corner of the console, and click Security Settings.

  3. In the Account Protection section of the Security Settings page, click Edit.

    Note

    MFA is renamed Time-based One-time Password (TOTP).

  4. On the Turn on Account Protection page, select scenarios and the TOTP verification method. Then, click Submit.

  5. In the Verify identity step, select a verification method.

  6. In the Install the application step, click Next.

  7. On your mobile device, bind a virtual MFA device.

    Note

    The following example shows how to bind a virtual MFA device in the Google Authenticator app on your mobile device that runs iOS.

    1. Open the Google Authenticator app.

    2. Click Get started and select one of the following methods to enable a virtual MFA device:

      • Tap Scan a QR code in the Google Authenticator app and scan the QR code that is displayed in the Enable the MFA step of the Alibaba Cloud Management Console. This method is recommended.

      • Tap Enter a setup key, enter an account and the key of the account, and then tap Add.

        Note

        In the Enable the MFA step of the Alibaba Cloud Management Console, move the pointer over Scan failed to view the account and key.

  8. In the Enable the MFA step of the Alibaba Cloud Management Console, enter the dynamic verification code that is displayed in the Google Authenticator app. Then, click Next to complete the account protection settings.

    Note

    Verification codes in the Google Authenticator app are updated at an interval of 30 seconds.

What to do next

If you use the Alibaba Cloud account to log on to the Alibaba Cloud Management Console after you bind the virtual MFA device, you are prompted to enter the following verification information:

  1. Enter the username and password of the RAM user.

  2. Enter the verification code that is generated by the virtual MFA device.

Important
  • After you bind an MFA device to an Alibaba Cloud account, the MFA device takes effect only on the Alibaba Cloud account and does not affect the logon of RAM users.

  • Before you uninstall the Google Authenticator app or remove the MFA device that is bound to the Google Authenticator app, you must unbind the MFA device in the Alibaba Cloud Management Console. Otherwise, you cannot log on to the Alibaba Cloud Management Console. For more information, see Unbind an MFA device from an Alibaba Cloud account.