This topic introduces some basic concepts of security settings in the Resource Access Management (RAM) console.
An identity credential that is used to log on to the Alibaba Cloud Management Console.
default domain name
The domain name that is used to identify the Alibaba Cloud account. Alibaba Cloud
assigns a default domain name to each Alibaba Cloud account. The format of the default domain name is
<AccountAlias>.onaliyun.com. The default domain name can be used for RAM user logon and single sign-on (SSO)
For more information, see View and modify the default domain name.
A custom domain name that you can use to replace the default domain name. The custom domain name must be publicly resolvable. A domain alias is the alias of the default domain name.
For more information, see Create and verify a domain alias.
An identity credential that is used to verify access identities. Each AccessKey pair consists of an AccessKey ID and an AccessKey secret. You can use your AccessKey pair or Alibaba Cloud SDK to sign API requests that you send to Alibaba Cloud. The AccessKey ID and AccessKey secret are used for symmetric encryption and identity verification. After the identity is verified, you can manage Alibaba Cloud resources by calling operations.
The AccessKey ID is used to identify a user, and the AccessKey secret is used to encrypt and verify a signature string.
For more information, see Create an AccessKey pair for a RAM user.
multi-factor authentication (MFA)
MFA is an easy-to-use and effective authentication method. In addition to the username and password, MFA provides an extra layer of protection. MFA enhances the security of your account.
MFA devices are classified into various types. Alibaba Cloud supports the following two types of MFA devices:
- Virtual MFA devices
Time-based one-time cipher algorithm (TOTP) is a multi-factor authentication protocol that is widely used. Applications that support TOTP on devices such as mobile phones are called virtual MFA devices. For example, both the Alibaba Cloud app and the Google Authenticator app are virtual MFA devices. If you enable a virtual MFA device, you must enter the 6-digit verification code that is generated on the device when you log on to the Alibaba Cloud Management Console. This prevents unauthorized logon due to password theft.
- U2F security keys
Universal 2nd Factor (U2F) is a multi-factor authentication protocol that is widely used and hosted by the Fast Identity Online (FIDO) Alliance. For more information, visit Fast Identity Online (FIDO) Alliance. The protocol is used to provide an efficient and universal multi-factor authentication method. You can plug a U2F security key, such as YubiKey produced by Yubico, into a USB port on your computer. Then, you can complete multi-factor authentication by tapping the button on the key when you log on to the Alibaba Cloud Management Console.
If you have enabled an MFA device, you must perform the following steps when you log on to the Alibaba Cloud Management Console:
- Enter the username and password of your account.
- Enter the verification code that is generated by the virtual MFA device. Alternatively, pass the U2F authentication.
- Virtual MFA devices can be used when you log on to the Alibaba Cloud Management Console from a browser or the Alibaba Cloud app.
- U2F security keys have the following limits:
- U2F security keys can be used only on computers with USB ports. If you log on to the Alibaba Cloud Management Console from a browser on a mobile device or from the Alibaba Cloud app, you cannot use U2F security keys. If you use a virtual machine or Remote Desktop Services, U2F authentication is not supported.
- You can use U2F security keys only when you log on to the Alibaba Cloud Management Console by using the signin.alibabacloud.com domain name. If you use the signin-intl.aliyun.com domain name that was previously supported by Alibaba Cloud, U2F authentication is not supported.
- Only the following versions of browsers support the U2F protocol:
- Google Chrome 38 and later
- Opera 40 and later
- Mozilla Firefox 57 and later
Note If you use Mozilla Firefox, you must manually enable the U2F feature by performing the following operations: Enter
about:configin the address bar of your browser to go to the browser configuration page. On this page, search for
u2fand set the security.webauth.u2f parameter to true. For more information, see the Mozilla Firefox help documentation.
MFA for sensitive operations
Multi-factor authentication (MFA) is required for sensitive operations. If a RAM user for which MFA is enabled wants to perform a sensitive operation in the Alibaba Cloud Management Console, risk control is triggered and the RAM user is required to pass MFA again. The RAM user can perform the sensitive operation only after the RAM user enters a valid MFA verification code.
Before you can implement MFA for sensitive operations for all RAM users, you must enable MFA for all RAM users. For more information, see Configure security policies for RAM users.
In the future, you can implement MFA for more sensitive operations. The following list describes the sensitive operations that you can implement MFA:
- Create an AccessKey pair.
- Delete an AccessKey pair.
- Disable an AccessKey pair.