After a user logs on to the Bastionhost console by using the username-password logon method, you can enable two-factor authentication to allow the user to enter a dynamic verification code that is sent by using a text message, an email, or a notification in DingTalk. This reduces the risk of password leaks. This topic describes how to enable two-factor authentication.

Background information

  • You can enable two-factor authentication only for local users, Active Directory (AD)-authenticated users, and Lightweight Directory Access Protocol (LDAP)-authenticated users.
  • To enable two-factor authentication for a Resource Access Management (RAM) user, log on to the RAM console and enable multi-factor authentication (MFA). For more information, see Enable an MFA device for an Alibaba Cloud account.

Prerequisites

  • If you select Text Message for the Authentication parameter when you enable two-factor authentication, you must specify the mobile phone number of the user who performs O&M operations. If you do not specify the mobile phone number, the user cannot receive verification codes. For more information, see Modify user information.
  • If you select Email for the Authentication parameter when you enable two-factor authentication, you must specify the email address of the user who performs O&M operations. If you do not specify the email address, the user cannot receive verification codes. For more information, see Modify user information.
  • If you select DingTalk for the Authentication parameter when you enable two-factor authentication, make sure that the following requirements are met:
    • The mobile phone number of the user who performs O&M operations is specified. For more information, see Modify user information.
    • An internal enterprise application is created by the DingTalk administrator, and the operation that is used to obtain member information based on the mobile phone numbers and names of the members is activated for the application.
    • The values of AppKey, AppSecret, and AgentId of the internal enterprise application are obtained.

Procedure

  1. Log on to your bastion host. For more information, see Log on to a bastion host.
  2. In the left-side navigation pane, click System Settings.
  3. On the System Settings page, click the Two-Factor Authentication tab.
  4. Turn on Enable Two-factor Authentication, configure the parameters, and then click Save.
    If you select DingTalk for Authentication, you must configure AppKey, AppSecret, and AgentId of the internal enterprise application. Two-factor authentication