You can attach a virtual MFA device to your Alibaba Cloud account for secondary identity verification when you log on. This improves the security of your Alibaba Cloud account. This topic describes how to attach or detach a virtual MFA device.
What is MFA and why should you configure it?
Multi-Factor Authentication (MFA) is a security best practice that adds an extra layer of protection on top of your username and password.
When you enable MFA, you must complete two verification steps to log on to Alibaba Cloud:
First verification: Enter your username and password.
Second verification: Use another authentication method, such as a six-digit dynamic code generated by a virtual MFA device every 30 seconds.
With this two-step verification, even if your password is compromised, no one can log on to your account without your physical device. This helps prevent account theft and greatly improves security.
What MFA methods do Alibaba Cloud accounts support?
Alibaba Cloud accounts support multiple MFA methods, such as text message verification. This topic focuses on virtual MFA devices, which are software-based MFA applications. A virtual MFA device is an app that follows the time-based one-time password (TOTP) standard (RFC 6238). It generates a six-digit dynamic code every 30 seconds for secondary authentication during logon and other critical operations.
Recommended virtual MFA applications
Google Authenticator: A mainstream TOTP standard app for Android and iOS.
Other TOTP-compatible authenticators: Such as Microsoft Authenticator and Authenticator (for Windows Phone).
Best practices for virtual MFA
Enable MFA: Attaching a virtual MFA device to your Alibaba Cloud account is an important step to protect your assets in the cloud.
Detach before uninstalling: Before you uninstall the virtual MFA application (such as the Alibaba Cloud app) or change your phone, you must detach the virtual MFA device first. Otherwise, you will not be able to log on.
Handle shared accounts: If multiple users share your account, take a screenshot of the QR code when you first attach the virtual MFA device. Other users can then scan the QR code with the Alibaba Cloud app or Google Authenticator. This allows multiple users to obtain the dynamic verification codes in sync.
Attach a virtual MFA device
Log on to the Alibaba Cloud Account Center. Go to the Security Settings page. In the Other Settings section, click Set up for Account Protection.
On the Enable Account Protection page, select one or more scenarios and verification methods. Click OK to go to the identity verification page.
TOTP verification
On the identity verification page, you can authenticate using your email address or mobile phone number.
Download and install Google Authenticator on your mobile phone. After the installation is complete, click Next to go to the attach page. If you have already installed the app, click Next.
Use Google Authenticator to scan the QR code, get a 6-digit verification code, enter the code, and then click Next to complete the account protection settings.
Text message verification
On the Verify Identity page, you can receive a text message verification code on your mobile phone.
Enter the verification code from the text message and click OK to complete the account protection settings.
NoteIf you select Text Message Verification and your account is not attached to a mobile phone number, you must first authenticate using your email address. Then, attach a mobile phone number to enable account protection.
You have successfully enabled account protection.
Detach a virtual MFA device
If you have not lost your phone and have not deleted the virtual MFA application, follow these steps to detach the virtual MFA device:
Log on to the Alibaba Cloud Account Center. Go to the Security Settings page. In the Other Settings area, click Modify for Account Protection.
You can click Turn off in the Account Protection Settings section to turn off account protection. You can also click Turn off in the verification method section to turn off a specific verification method. In addition, you can click Edit to select the Scenarios to enable or disable.
On the Verify Identity page, open the Alibaba Cloud app or Google Authenticator and enter the 6-digit dynamic verification code to complete the identity verification. You can also click Try a different method and choose to verify your identity using a code sent to your phone or email.
After the identity verification is complete, account protection is turned off.
If you cannot detach the MFA device for your Alibaba Cloud account using the preceding methods and you cannot log on, you can submit an appeal to complete the detachment. For more information, see Logon is blocked by an unavailable virtual MFA device or an IP address mask.