After you log on to the Bastionhost console by using the username-password logon method, you can enable two-factor authentication to allow users to enter dynamic verification codes that are sent by text message, email, or notification in DingTalk. You can also allow users to enter one-time passwords (OTPs) to implement two-factor authentication. This helps reduce the risk of password leaks. This topic describes how to enable two-factor authentication.

Background information

  • You can enable two-factor authentication only for local users, Active Directory (AD)-authenticated users, and Lightweight Directory Access Protocol (LDAP)-authenticated users.
  • To enable two-factor authentication for a RAM user, log on to the RAM console and enable multi-factor authentication (MFA). For more information, see Enable an MFA device for an Alibaba Cloud account.

Prerequisites

  • If you select Text Message for the Authentication Method parameter when you enable two-factor authentication, you must specify the mobile phone number of the user who wants to perform O&M operations. If you do not specify the mobile phone number, the user cannot receive verification codes. For more information, see Modify user information.
  • If you select Email for the Authentication Method parameter when you enable two-factor authentication, you must specify the email address of the user who wants to perform O&M operations. If you do not specify the email address, the user cannot receive verification codes. For more information, see Modify user information.
  • If you select DingTalk for the Authentication Method parameter when you enable two-factor authentication, make sure that the following requirements are met:
    • The mobile phone number of the user who wants to perform O&M operations is specified. For more information, see Modify user information.
    • An internal enterprise application is created by the DingTalk administrator, and the operation that is used to obtain member information based on the mobile phone numbers and names of the members is activated for the application.
    • The values of AppKey, AppSecret, and AgentId of the internal enterprise application are obtained.
  • If you select OTP App for the Authentication Method parameter when you enable two-factor authentication, you must download an app that supports time-based one-time password (TOTP). Bastionhost allows two-factor authentication from TOTP authenticator apps, such as the Alibaba Cloud app. This way, you can log on to the O&M portal by using the public O&M address of your bastion host, and use the app to scan the quick response (QR) code that is displayed to bind the app to your bastion host.

Procedure

  1. Log on to your bastion host. For more information, see Log on to a bastion host.
  2. In the left-side navigation pane, click System Settings.
  3. On the System Settings page, click the Two-Factor Authentication tab.
  4. Turn on Enable Two-factor Authentication, set Authentication Method to Text Message, Email, DingTalk, or OTP App, and configure other parameters. Then, click Save.
    If you select DingTalk for Authentication Method, you must configure AppKey, AppSecret, and AgentId of the internal enterprise application.
    If you select OTP App for Authentication Method, you must download a TOTP authenticator app, such as the Alibaba Cloud app. Then, log on to the O&M portal by using the public O&M address of your bastion host. In the left-side navigation pane, click Security Settings. On the page that appears, click the Enable OTP tab. Then, click Bind OTP App. The system displays a QR code. Use the app to scan the QR code to bind the app with your bastion host.
    For more information about how to obtain the O&M addresses of a bastion host, see Homepage overview of a bastion host.