When multi-factor authentication (MFA) is enabled, a regular user must enter a password and an MFA verification code to log on to the Alibaba Cloud Workspace client. This feature provides two-layer protection for logons and improves account security. This topic describes how to configure MFA.

Prerequisites

The client logon verification and single sign-on (SSO) are not enabled.

Background information

To prevent verification conflicts, take note of the following items because client logon verification, MFA, and SSO settings are exclusive to each other:

  • If you enable client logon verification, MFA and SSO cannot be enabled.
  • If MFA is enabled, the client logon verification and SSO cannot be enabled.
  • If you enable SSO, the client logon verification and MFA cannot be enabled.

MFA provides a simple and secure way that an extra layer of protection is added on top of the default authentication mechanism of username and password. When MFA is enabled, two factors are required to access the client. The two-layer verification is determined by two factors. The first factor is the username and password. The second factor is a verification code that an MFA device dynamically generates. These two factors strengthen your account security.

An MFA device uses the Time-based One-time Password (TOTP) algorithm to generate a 6-digit dynamic verification code. MFA devices can be hardware or software. Elastic Desktop Service (EDS) supports software-based virtual MFA devices. You can install the software that supports MFA on mobile devices. For example, you can install the Alibaba Cloud app on a mobile phone. In this case, the mobile phone is used as a virtual MFA device.

To implement MFA, perform the following steps:
  1. Enable MFA for a workspace in the EDS console.
  2. Bind an MFA device the first time you log on to the Alibaba Cloud Workspace client as a regular user.
  3. Enter the MFA verification code the next time you log on to the Alibaba Cloud Workspace client as a regular user.

Enable MFA for a workspace

You can configure whether to enable MFA for a workspace. If MFA is enabled for a workspace, MFA is also enabled for all cloud desktops in the workspace.

  1. Log on to the EDS console.
  2. In the top navigation bar, select a region.
  3. In the left-side navigation pane, click Overview.
  4. On the Overview page, click the ID of the workspace for which you want to enable MFA.
  5. On the Security page, enable MFA.
  6. In the message that appears, click Confirm.

Bind a virtual MFA device to a regular user

If MFA is enabled for a workspace to which the cloud desktop used by a regular user belongs, the regular user must bind a virtual MFA device the first time the regular user logs on to the client. The regular user can install the software that supports MFA, such as the Alibaba Cloud app, on a mobile phone. Then, the mobile phone is used as a virtual MFA device.
Note The regular user can install the Alibaba Cloud app from App Store or another app store based on the OS of the mobile phone used.

To bind a virtual MFA device, perform the following steps:

  1. Double-click the Client icon icon to launch the client.
  2. Enter the workspace ID, select a network connection method, and then click Next.
    The first time when a regular user logs on to the Alibaba Cloud Workspace client, the regular user must set the workspace ID and connection method. The configurations are reused thereafter. To change the workspace, modify the logon settings.
  3. Enter the username and password and click Next.
  4. Follow the on-screen instructions on the client and scan the QR code to bind a virtual MFA device.
    1. Launch the Alibaba Cloud app on the mobile phone and scan the QR code that is displayed on the client to obtain the verification code.
    2. On the client page, click Next.
    3. On the client page, enter the 6-digit verification code that is displayed on the Virtual MFA page of the Alibaba Cloud app and click OK.
    • If an incorrect MFA verification code is entered five times in a row within a short period of time, the virtual MFA device cannot be bound. In this case, another virtual MFA device is required. The regular user must log on to the client again and bind a new virtual MFA device.
    • If a correct MFA verification code is entered, the virtual MFA device is bound. Then, the cloud desktops to which you may connect are displayed. Only the username, password, and MFA verification code are required upon the next logon to the client.

Delete a virtual MFA device bound to a regular user

MFA devices can be deleted only for cloud desktops that belong to workspaces of the enterprise Active Directory (AD) account type.

In the following scenarios, you may want to delete the virtual MFA device that is bound to your account.
  • The bound virtual MFA device is idle for a long period of time due to reasons such as a changed phone.
  • The bound virtual MFA device is locked and unavailable.
    Note After a virtual MFA device is bound for an AD user, the MFA device is locked for 1 hour if an incorrect MFA authentication code is entered five times in a row within a short period of time. If you want to connect to a cloud desktop of the AD user during the lock period, you can call the UnlockVirtualMFADevice operation to unlock the virtual MFA device. You can also delete the virtual MFA device and bind a different one.

To delete a virtual MFA device, perform the following steps:

  1. Log on to the EDS console.
  2. In the top navigation bar, select a region.
  3. In the left-side navigation pane, choose Desktops and Groups > Desktops.
  4. On the Cloud Desktops page, find the cloud desktop for which you want to delete a virtual MFA device, choose More > Manage User MFA Device in the Actions column.
    In the dialog box that appears, you can view the usernames of users to whom are assigned the cloud desktop and the serial number of the virtual MFA device that is bound for each user.
  5. Find the virtual MFA device that you want to delete, click Delete in the Actions column, and then click OK.
    After the virtual MFA device is deleted, the AD user must bind a virtual MFA device before the next logon to the client.