All Products
Search

This Product

    :Bind your MFA device

    Document Center

    :Bind your MFA device

    Last Updated:May 07, 2026

    Multi-factor authentication (MFA) adds a critical second layer of security beyond your username and password. When MFA is enabled, RAM users must complete a verification step each time they sign in to the console or perform sensitive operations, preventing unauthorized access even if credentials are compromised. This topic explains how RAM users can bind their own MFA devices, including passkeys, virtual MFA devices, and security emails.

    Note

    Starting from March 17, 2025, Alibaba Cloud enforces mandatory MFA for all RAM users at sign-in. For more information, see the notice.

    MFA method comparison

    Choose one or more MFA methods based on your security requirements. For more information about each method, see Supported MFA methods.

    MFA method

    Verification method

    Security level

    Dependencies

    Recommendations

    passkey

    Biometrics (fingerprint/face) or device PIN

    Highest

    Compatible devices (computer/phone) and browsers, or hardware security keys. For details, see What is a passkey?

    Maximum security with a convenient passwordless sign-in experience. Authenticates both the device and the user through built-in biometrics.

    virtual MFA device

    Time-based one-time password (TOTP)

    High

    An authenticator app on a smartphone, such as the Alibaba Cloud app or Google Authenticator.

    The most versatile and secure option that works regardless of region or carrier. Recommended as the primary MFA method.

    security email

    Email verification code

    Medium

    Email service

    Use as a backup verification method. Can be used for emergency sign-in when the primary MFA device is unavailable.
    Note

    • To prevent account lockout due to a lost or damaged device, bind at least two different types of MFA devices to each RAM user — for example, a passkey and a security email.

    • U2F security keys have been upgraded to passkeys. If you have a bound U2F security key, we recommend upgrading it. See Upgrade a U2F security key to a passkey.

    Prerequisites

    Before a RAM user can bind an MFA device, the Alibaba Cloud account owner or a RAM administrator must:

    1. Configure the global MFA policy — Define the MFA activation rules and specify which device types are allowed. For details, see Multi-factor authentication settings.

    2. Allow users to manage their own MFA devices — Enable this option in the global security settings so RAM users can self-manage their MFA bindings. For details, see Global security settings.

    After the policy is configured, each RAM user must bind their MFA device individually using the procedures described below.

    Bind a passkey

    A passkey uses your device's built-in biometrics (fingerprint or face recognition) or a PIN for verification, delivering a seamless and highly secure passwordless experience. Before you begin, verify that your device and browser support passkeys. For compatibility details, see What is a passkey?.

    Note

    Register a passkey on every device you use frequently, and set up a security email as a backup to avoid lockout when switching devices.

    Sign-in page

    When a RAM user signs in to the console for the first time after MFA is required, the system prompts you to bind an MFA device.

    1. Go to the RAM user logon page and enter your username and password.

    2. Select passkey.

    3. On the Bind passkey page, follow the on-screen instructions to complete the binding. For more information, see Manage passkeys for RAM users.

    Security Information page

    1. Go to the RAM user logon page and sign in.

    2. Hover over your profile picture in the upper-right corner and click Security Information.

    3. In the Passkey section, click Create Passkey.

    4. On the Bind passkey page, follow the on-screen instructions to complete the binding. For more information, see Manage passkeys for RAM users.

    Bind a virtual MFA device

    A virtual MFA device generates time-based one-time passwords (TOTP) through an authenticator app. This method is highly secure, works offline, and is not limited by region or carrier. Before you begin, download and install an authenticator app on your smartphone — for example, the Alibaba Cloud app or Google Authenticator.

    Sign-in page

    When a RAM user signs in to the console for the first time after MFA is required, the system prompts you to bind an MFA device.

    1. Go to the RAM user logon page and enter your username and password.

    2. Select virtual MFA device.

    3. On your smartphone, add the virtual MFA device using one of the following methods:

      Alibaba Cloud app (Android)

      1. Open the Alibaba Cloud app and sign in.

      2. In the upper-right corner, tap the mfa icon.

      3. Tap + in the upper-right corner, then choose:

        • Scan QR Code (Recommended): Scan the QR code displayed on the Bind virtual MFA device page in the console, then tap OK.

        • Add Manually: Enter the account name and key from the console page, then tap OK.

      Google Authenticator app (iOS)

      1. Open the Google Authenticator app.

      2. Tap Get started, then choose:

        • Scan a QR code (Recommended): Scan the QR code displayed on the Bind virtual MFA device page in the console.

        • Enter a setup key: Enter the account name and key from the console page, then tap Add.

    4. In the console, enter the time-based one-time password (TOTP) displayed on your smartphone and click OK.

    Security Information page

    1. Go to the RAM user logon page and sign in.

    2. Hover over your profile picture in the upper-right corner and click Security Information.

    3. In the MFA Information section, click MFA Device next to MFA Device.

    4. On your smartphone, add the virtual MFA device using one of the following methods:

      Alibaba Cloud app (Android)

      1. Open the Alibaba Cloud app and sign in.

      2. In the upper-right corner, tap the mfa icon.

      3. Tap + in the upper-right corner, then choose:

        • Scan QR Code (Recommended): Scan the QR code displayed on the Bind virtual MFA device page in the console, then tap OK.

        • Add Manually: Enter the account name and key from the console page, then tap OK.

      Google Authenticator app (iOS)

      1. Open the Google Authenticator app.

      2. Tap Get started, then choose:

        • Scan a QR code (Recommended): Scan the QR code displayed on the Bind virtual MFA device page in the console.

        • Enter a setup key: Enter the account name and key from the console page, then tap Add.

    5. In the console, enter the time-based one-time password (TOTP) displayed on your smartphone and click OK.

    Note

    You can also allow RAM users to remember their MFA verification status for 7 days. This setting allows a RAM user to select Remember this device and do not ask for verification within 7 days during MFA. The user will then not need to complete MFA on that device for the next 7 days. For information on how to configure this setting, see Manage security settings for RAM users.

    Bind a security email

    A security email provides a backup verification channel when your primary MFA device is unavailable. On the International site, you can also use it for emergency sign-in.

    Security email can only be bound from the Security Information page — it is not available during first sign-in.

    1. Go to the RAM user logon page and sign in.

    2. Hover over your profile picture in the upper-right corner and click Security Information.

    3. In the MFA Information section, click Security Email next to security email.

    4. On the Bind security email page, enter your email address, request and enter the verification code, and then click OK.

    Note

    The email address in a RAM user's basic information is for reference only and differs from the bound security email. Only the bound security email can be used for MFA verification.

    Upgrade a U2F security key to a passkey

    U2F security keys have been upgraded to passkeys. If you have a bound U2F security key, it will continue to work, but we recommend upgrading it to a passkey for improved functionality.

    1. Go to the RAM user logon page and sign in.

    2. Hover over your profile picture in the upper-right corner and click Security Information.

    3. In the MFA Information section, click MFA Device next to Update to Passkey.

      image

    4. In the Update U2F to Passkey dialog box, click OK.

      image

    5. On the Bind passkey page, register the security key as a passkey. For more information, see Manage passkeys for RAM users.

    What to do next

    After enabling MFA and binding an MFA device to a RAM user, the user must provide two security factors when they sign in to Alibaba Cloud or perform a sensitive operation in the console:

    1. First factor: Enter their username and password.

    2. Second factor: Enter a verification code from a virtual MFA device or security email address, or authenticate with a passkey.

    Important

    • Replacing an MFA device: To replace a bound MFA device, you must first unbind the existing device before binding a new one. For details, see Unbind an MFA device for a RAM user.

    • Lost or inaccessible device: If a RAM user uninstalls their authenticator app (such as the Alibaba Cloud app or Google Authenticator) or loses their security key without unbinding it first, they will be locked out. The Alibaba Cloud account owner or a RAM administrator must unbind the device in the RAM console. For details, see Unbind an MFA device for a RAM user.