All Products
Search
Document Center

Bastionhost:Enable two-factor authentication

Last Updated:Apr 02, 2026

Two-factor authentication (2FA) adds a second layer of security to Bastionhost logons. After a user passes the password check, they must also verify their identity through a second method — text message, email, DingTalk, or a one-time password (OTP) app — before gaining access. This reduces the risk of unauthorized access from compromised passwords.

Supported user types

Two-factor authentication applies to local users, Active Directory (AD)-authenticated users, and Lightweight Directory Access Protocol (LDAP)-authenticated users managed in the Bastionhost console.

For Resource Access Management (RAM) users, enable multi-factor authentication (MFA) from the RAM console instead. For details, see Bind an MFA device to an Alibaba Cloud account.

Global 2FA settings configured on the System Settings page have a lower priority than per-user 2FA settings. To override global settings for a specific user, see Manage users.

Choose an authentication method

Bastionhost supports four authentication methods. The table below compares them by security level, prerequisites, and typical use case — choose the one that best fits your organization's requirements.

Method What users need Setup complexity Best for
OTP app A TOTP-compliant authenticator app Low (user self-enrolls) High-security environments; most phishing-resistant
DingTalk A DingTalk account linked to their mobile number Medium (requires DingTalk admin setup) Organizations already using DingTalk
Text message A registered mobile phone number Low General use; depends on SMS delivery
Email A registered email address Low General use; least friction
OTP app-based authentication does not rely on SMS carriers or network delivery, making it more robust in environments where SMS reliability is a concern.

Enable two-factor authentication

Prerequisites

Before you begin, make sure you have:

  • Administrator access to the Bastionhost console

  • Each user's mobile phone number or email address configured in their profile, if you plan to use text message, email, or DingTalk authentication. To update this information, see Modify the basic information about a local user

  • For DingTalk: a DingTalk administrator who has created an internal enterprise application, activated the operation to obtain member information based on mobile phone numbers and names, and obtained the AppKey, AppSecret, and AgentId values

  • For OTP app: users who have downloaded a standard time-based one-time password (TOTP) authenticator app, such as the Alibaba Cloud app

Steps

  1. Log on to the Bastionhost console. In the top navigation bar, select the region where your bastion host resides.

  2. In the bastion host list, find the target bastion host and click Manage.

  3. In the left-side navigation pane, click System Settings.

  4. On the System Settings page, click the Two-factor Authentication tab.

  5. Turn on Enable Two-factor Authentication, select one or more values for Authentication Method, configure the remaining parameters, and then click Save. The following table describes the parameters.

    Parameter Description
    Authentication MethodText Message Sends verification codes via SMS. The user's mobile phone number must be configured in their profile; otherwise, they cannot receive verification codes.
    Authentication MethodEmail Sends verification codes via email. The user's email address must be configured in their profile; otherwise, they cannot receive verification codes.
    Authentication MethodDingTalk Sends verification codes via DingTalk notifications. The user's mobile phone number must be configured in their profile. The DingTalk internal enterprise application must be set up in advance (see Prerequisites).
    Authentication MethodOTP App Requires users to authenticate using a TOTP authenticator app. After this method is enabled, users must bind an OTP app before they can log on: log on to the operations and maintenance (O&M) portal via a public endpoint, go to Security Settings > Enable OTP, and click Bind OTP App to scan the QR code. For details, see Log on to the O&M portal.
    Language The language for two-factor notification messages. Options: Simplified Chinese or English.
    If the two-factor code is correct, you do not need to enter the code for The trust period during which users from the same source IP address are not prompted for a verification code again. Valid values: 0–168 hours or 0–7 days. The default value of 0 hours requires a code at every logon.

Supported countries and regions for SMS

The following countries and regions support SMS-based two-factor authentication.

Country or region Calling code
Areas in China
Hong Kong (China) +852
Macao (China) +853
Taiwan (China) +886
Chinese mainland +86
Countries and regions outside China
Australia +61
Poland +48
Germany +49
UAE +971
Russia +7
France +33
Philippines +63
Republic of Korea +82
Malaysia +60
United States +1
Japan +81
Sweden +46
Switzerland +41
Spain +34
Singapore +65
Israel +972
Italy +39
India +91
Indonesia +62
United Kingdom +44
Saudi Arabia +966
Thailand +66
Vietnam +84
Cambodia +855

What's next