After you log on to the Bastionhost console by using the username-password logon method, you can enable two-factor authentication to allow users to enter dynamic verification codes that are sent by text message, email, or notification in DingTalk. You can also allow users to enter one-time passwords (OTPs) to implement two-factor authentication. This helps reduce the risk of password leaks. This topic describes how to enable two-factor authentication.
Background information
- You can enable two-factor authentication only for local users, Active Directory (AD)-authenticated users, and Lightweight Directory Access Protocol (LDAP)-authenticated users.
- To enable two-factor authentication for a RAM user, log on to the RAM console and enable multi-factor authentication (MFA). For more information, see Enable an MFA device for an Alibaba Cloud account.
Prerequisites
- If you select Text Message for the Authentication Method parameter when you enable two-factor authentication, you must specify the mobile phone number of the user who wants to perform O&M operations. If you do not specify the mobile phone number, the user cannot receive verification codes. For more information, see Modify user information.
- If you select Email for the Authentication Method parameter when you enable two-factor authentication, you must specify the email address of the user who wants to perform O&M operations. If you do not specify the email address, the user cannot receive verification codes. For more information, see Modify user information.
- If you select DingTalk for the Authentication Method parameter when you enable two-factor
authentication, make sure that the following requirements are met:
- The mobile phone number of the user who wants to perform O&M operations is specified. For more information, see Modify user information.
- An internal enterprise application is created by the DingTalk administrator, and the operation that is used to obtain member information based on the mobile phone numbers and names of the members is activated for the application.
- The values of AppKey, AppSecret, and AgentId of the internal enterprise application are obtained.
- If you select OTP App for the Authentication Method parameter when you enable two-factor authentication, you must download an app that supports time-based one-time password (TOTP). Bastionhost allows two-factor authentication from TOTP authenticator apps, such as the Alibaba Cloud app. This way, you can log on to the O&M portal by using the public O&M address of your bastion host, and use the app to scan the quick response (QR) code that is displayed to bind the app to your bastion host.