You can attach a virtual MFA device to your Alibaba Cloud account for secondary identity verification when you log on. This improves the security of your Alibaba Cloud account. This topic describes how to attach or detach a virtual MFA device.
What is MFA and why should you configure it?
MFA adds an extra layer of protection on top of your username and password.
It requires you to provide two forms of verification when you sign in:
First verification: Enter your username and password.
Second verification: Provide another form of authentication, such as a six-digit dynamic verification code that is automatically generated by a virtual MFA device every 30 seconds.
With two-factor authentication, even if your password is compromised, no one can log on to your account without your device. This effectively prevents account theft and significantly improves account security.
What MFA methods do Alibaba Cloud accounts support?
Alibaba Cloud accounts support multiple MFA methods, such as text message verification codes. This topic focuses on virtual MFA devices, which are software-based MFA applications. A virtual MFA device is an app that follows the time-based one-time password (TOTP) standard (RFC 6238). It generates a new six-digit verification code every 30 seconds. You use this code for secondary authentication during login and other critical operations.
Recommended authenticator apps:
Google Authenticator: A mainstream TOTP standard app for Android and iOS.
Other TOTP-compatible authenticators: Microsoft Authenticator.
Best practices for virtual MFA
Enable MFA: Attaching a virtual MFA device to your Alibaba Cloud account is an important step to protect your assets in the cloud.
Detach before uninstalling: Before you uninstall the virtual MFA application (such as the Alibaba Cloud app) or change your phone, you must detach the virtual MFA device first. Otherwise, you will not be able to log on.
Handle shared accounts: If multiple users share your account, take a screenshot of the QR code when you first attach the virtual MFA device. Other users can then scan the QR code with the Alibaba Cloud app or Google Authenticator. This allows multiple users to obtain the dynamic verification codes in sync.
Enable account protection
Log on to the Alibaba Cloud Account Center. Go to the Security Settings page. In the Account Protection section, click View to go to the Account Protection settings page.
On the Turn on Account Protection page, select one or more scenarios and verification methods. Click Submit to go to the identity verification page.
TOTP verification
On the identity verification page, you can authenticate using your email address or phone number.
Download and install Google Authenticator on your phone. After the installation is complete, click Next to go to the attach page. If you have already installed the app, click Next.
Use Google Authenticator to scan the QR code and obtain a 6-digit verification code. Enter the code and click Next to complete the account protection settings.
Text message verification
On the Verify Identity page, you can receive a text message verification code sent to your Phone Number.
Enter the verification code from the text message and click Submit to complete the account protection settings.
NoteIf you select the Text Message Verification method and do not have a phone number attached to your account, you must first authenticate using your email address. Then, you can attach a phone number to enable account protection.
You have successfully enabled account protection.
Detach a virtual MFA device
If you have not lost your phone and have not deleted the virtual MFA application, follow these steps to detach the virtual MFA device:
Log on to the Alibaba Cloud Account Center. Navigate to the Security Settings page. In the Account Protection section, click Edit to open the Account Protection settings page.
You can click Turn off in the Account Protection Settings section to turn off account protection. You can also click Turn off in the verification method section to turn off a specific verification method. In addition, you can click Modify to enable or disable specific scenarios.
On the Verify Identity page, open the Alibaba Cloud app or Google Authenticator and enter the 6-digit dynamic verification code to complete the identity verification. You can also click Try a different method and choose to verify your identity using a code sent to your phone or email.
After the identity verification is complete, account protection is turned off.
If you cannot detach the MFA device for your Alibaba Cloud account using the preceding methods and you cannot log on, you must submit an appeal to complete the detachment. For more information, see Logon is blocked by an unavailable virtual MFA device or an IP address mask.