All Products
Search
Document Center

WUYING Workspace:Configure MFA

Last Updated:Feb 06, 2024

If you enable the multi-factor authentication (MFA) feature, an end user must enter a password and an MFA verification code to log on to a WUYING client. This feature provides additional protection for logons and improves account security. This topic describes how to configure MFA.

Usage notes

Client logon verification, MFA, and single sign-on (SSO) settings are exclusive to each other. To prevent verification conflicts, take note of the following items:

  • If you enable client logon verification, MFA and SSO cannot be enabled.

  • If you enable MFA, the client logon verification and SSO cannot be enabled.

  • If you enable SSO, the client logon verification and MFA cannot be enabled.

Overview

What is MFA?

MFA provides a simple and secure way that adds an extra layer of protection on top of the default username and password authentication. If you enable the MFA feature for an office network, an end user must bind a virtual MFA device and enter the correct MFA verification code in addition to the username and password when the end user logs on to a WUYING client. Two layers of protection for logons improve account security.

  • First layer of protection: the username and password

  • Second layer of protection: the verification code that is generated by the virtual MFA device

Note

Virtual MFA devices: Time-based One-Time Password (TOTP) is a widely used multi-factor authentication protocol. Applications that support TOTP on devices such as mobile phones are called virtual MFA devices. For example, the Alibaba Cloud app and the Google Authenticator app are virtual MFA devices. If you enable a virtual MFA device, you must enter the 6-digit verification code that is generated by the device when you log on to the Alibaba Cloud Management Console. This prevents unauthorized logons caused by password theft.

WUYING Workspace supports software-based virtual MFA devices. You can add the Alibaba Cloud app on your mobile phone to serve as a virtual MFA device.

Process

The following process shows how MFA works:

  1. You enable the MFA feature for your office network (formerly known as workspace) in the WUYING Workspace console as an administrator.

  2. The first time an end user logs on to a WUYING terminal in the office network, the end user must bind a virtual MFA device.

    During subsequent logons to the WUYING terminal, the end user must enter a verification code that is generated by the bound virtual MFA device. The logon is considered successful only after the verification code is matched.

Enable MFA for an office network

The following section describes how to enable the MFA feature for an office network. After the MFA feature is enabled for the office network, all end users who want to connect to cloud computers in the office network must enter the correct verification code that is generated by the bound virtual MFA device.

  1. Log on to the WUYING Workspace console.

  2. In the left-side navigation pane, choose Network & Storage > Office Network (Formerly Workspace).

  3. In the upper-left corner of the top navigation bar, select a region.

  4. On the Office Network (Formerly Workspace) page, find the office network for which you want to enable the MFA feature and click the office network ID.

  5. In the left-side navigation pane of the office network details page, click Other.

  6. In the Other section, turn on MFA.

    The MFA feature takes effect the next time end users log on to WUYING terminals.

Bind a virtual MFA device as an end user

The following section describes how to bind a virtual MFA device as an end user.

If you enable the MFA feature for an office network in the WUYING Workspace console as an administrator, end users must bind a virtual MFA device the first time they log on to WUYING terminals.

Preparations

Before you bind a virtual MFA device as an end user, you must make the following preparations:

  1. Download and install the Alibaba Cloud app on your mobile phone.

    You can search for Alibaba Cloud in the app market based on the OS of your mobile phone.

  2. You must download a WUYING client to your on-premises device based on your business requirements.

Procedure

In the following procedure, the Alibaba Cloud app is downloaded to describe how to bind a virtual MFA device and log on to a WUYING client.

  1. On the on-premises device, double-click the 无影云电脑.png icon to open the Windows client.

  2. On the client logon page of the Enterprise Edition, enter an office network ID and click the 下一步.png icon.

  3. Enter the username and password and click the 下一步.png icon.

  4. Open the Alibaba Cloud app on your mobile phone, scan the QR code on the Windows client that is downloaded, and then enter the verification code to bind a virtual MFA device.

    MFA设备-扫码-zh.png

    • If you mistype an MFA verification code 10 times in a row, the binding fails and the system denies the virtual MFA device. In this case, you must log on to the Windows client again and rebind another virtual MFA device.

    • If the MFA verification code is valid and the verification is successful, the virtual MFA device is bound, and cloud computer cards are immediately displayed. The next time you log on to the WUYING client, you must enter the username, password, and MFA verification code.

Unbind a virtual MFA device

If you have enabled the MAF feature and your end user has bound a virtual MFA device but wants to use another virtual MFA device, you can unbind the original virtual MFA device. You can also unbind a virtual MFA device if it gets locked and becomes unavailable.

Note

If an end user who uses an enterprise active directory (AD) account to log on to a WUYING terminal mistypes an MFA verification code 10 times in a row, the system locks the virtual MFA device that is bound to the end user for one hour. During the locked period, if the end user needs to connect to a cloud computer in the office network for which the MFA feature is enabled, you can call the UnlockVirtualMFADevice API operation to remove the binding relationship between the virtual MFA device and the end user. You can also call the DeleteVirtualMFADevice API operation to delete the existing virtual MFA device and bind a new virtual MFA device.

Delete a virtual MFA device that is bound to a convenience user

  1. Log on to the WUYING Workspace console.

  2. In the left-side navigation pane, choose Resources & Terminals > Cloud Computers.

  3. In the upper-left corner of the top navigation bar, select a region.

  4. On the Cloud Computers page, find the cloud computer that you want to manage, click the 3个点..png icon in the Actions column and click Manage User MFA Device.

    On the page that appears, you can view the convenience user of the cloud computer and the serial number of the virtual MFA device that is bound to the convenience user.

  5. Find the virtual MFA device that you want to delete, click Delete in the Actions column, and then click OK.

    After the virtual MFA device is deleted, the convenience user must bind another virtual MFA device before the next logon to the client.

Delete a virtual MFA device that is bound to an enterprise AD user

  1. Log on to the WUYING Workspace (Pro Edition) console.

  2. In the left-side navigation pane, choose Resources & Terminals > Cloud Computers.

  3. In the upper-left corner of the top navigation bar, select a region.

  4. On the Cloud Computers page, find the cloud computer that is assigned to the enterprise AD user, click the 3个点..png icon in the Actions column, click Manage User MFA Device, and then follow the on-screen instructions to delete the virtual MFA device.