Two-factor authentication (2FA) adds a second layer of security to Bastionhost logons. After a user passes the password check, they must also verify their identity through a second method — text message, email, DingTalk, or a one-time password (OTP) app — before gaining access. This reduces the risk of unauthorized access from compromised passwords.
Supported user types
Two-factor authentication applies to local users, Active Directory (AD)-authenticated users, and Lightweight Directory Access Protocol (LDAP)-authenticated users managed in the Bastionhost console.
For Resource Access Management (RAM) users, enable multi-factor authentication (MFA) from the RAM console instead. For details, see Bind an MFA device to an Alibaba Cloud account.
Global 2FA settings configured on the System Settings page have a lower priority than per-user 2FA settings. To override global settings for a specific user, see Manage users.
Choose an authentication method
Bastionhost supports four authentication methods. The table below compares them by security level, prerequisites, and typical use case — choose the one that best fits your organization's requirements.
| Method | What users need | Setup complexity | Best for |
|---|---|---|---|
| OTP app | A TOTP-compliant authenticator app | Low (user self-enrolls) | High-security environments; most phishing-resistant |
| DingTalk | A DingTalk account linked to their mobile number | Medium (requires DingTalk admin setup) | Organizations already using DingTalk |
| Text message | A registered mobile phone number | Low | General use; depends on SMS delivery |
| A registered email address | Low | General use; least friction |
OTP app-based authentication does not rely on SMS carriers or network delivery, making it more robust in environments where SMS reliability is a concern.
Enable two-factor authentication
Prerequisites
Before you begin, make sure you have:
Administrator access to the Bastionhost console
Each user's mobile phone number or email address configured in their profile, if you plan to use text message, email, or DingTalk authentication. To update this information, see Modify the basic information about a local user
For DingTalk: a DingTalk administrator who has created an internal enterprise application, activated the operation to obtain member information based on mobile phone numbers and names, and obtained the AppKey, AppSecret, and AgentId values
For OTP app: users who have downloaded a standard time-based one-time password (TOTP) authenticator app, such as the Alibaba Cloud app
Steps
Log on to the Bastionhost console. In the top navigation bar, select the region where your bastion host resides.
In the bastion host list, find the target bastion host and click Manage.
In the left-side navigation pane, click System Settings.
On the System Settings page, click the Two-factor Authentication tab.
Turn on Enable Two-factor Authentication, select one or more values for Authentication Method, configure the remaining parameters, and then click Save. The following table describes the parameters.
Parameter Description Authentication Method — Text Message Sends verification codes via SMS. The user's mobile phone number must be configured in their profile; otherwise, they cannot receive verification codes. Authentication Method — Email Sends verification codes via email. The user's email address must be configured in their profile; otherwise, they cannot receive verification codes. Authentication Method — DingTalk Sends verification codes via DingTalk notifications. The user's mobile phone number must be configured in their profile. The DingTalk internal enterprise application must be set up in advance (see Prerequisites). Authentication Method — OTP App Requires users to authenticate using a TOTP authenticator app. After this method is enabled, users must bind an OTP app before they can log on: log on to the operations and maintenance (O&M) portal via a public endpoint, go to Security Settings > Enable OTP, and click Bind OTP App to scan the QR code. For details, see Log on to the O&M portal. Language The language for two-factor notification messages. Options: Simplified Chinese or English. If the two-factor code is correct, you do not need to enter the code for The trust period during which users from the same source IP address are not prompted for a verification code again. Valid values: 0–168 hours or 0–7 days. The default value of 0 hours requires a code at every logon.
Supported countries and regions for SMS
The following countries and regions support SMS-based two-factor authentication.
| Country or region | Calling code |
|---|---|
| Areas in China | |
| Hong Kong (China) | +852 |
| Macao (China) | +853 |
| Taiwan (China) | +886 |
| Chinese mainland | +86 |
| Countries and regions outside China | |
| Australia | +61 |
| Poland | +48 |
| Germany | +49 |
| UAE | +971 |
| Russia | +7 |
| France | +33 |
| Philippines | +63 |
| Republic of Korea | +82 |
| Malaysia | +60 |
| United States | +1 |
| Japan | +81 |
| Sweden | +46 |
| Switzerland | +41 |
| Spain | +34 |
| Singapore | +65 |
| Israel | +972 |
| Italy | +39 |
| India | +91 |
| Indonesia | +62 |
| United Kingdom | +44 |
| Saudi Arabia | +966 |
| Thailand | +66 |
| Vietnam | +84 |
| Cambodia | +855 |
What's next
To configure 2FA settings for a specific user (which overrides the global settings), see Manage users.
To help users bind their OTP app, see Log on to the O&M portal.