All Products
Search

This Product

    Resource Access Management:FAQ about MFA

    Document Center

    Resource Access Management:FAQ about MFA

    Last Updated:Apr 10, 2024

    This topic provides answers to some frequently asked questions about multi-factor authentication (MFA), such as invalid MFA verification code, authentication failure of MFA, changing an MFA device, and forcefully enabling and disabling MFA.

    After I enter the verification code on the MFA binding page, a message indicating that the verification code is invalid appears. What do I do?

    • MFA is a time-based authentication method. Make sure that your mobile phone has no time deviations.

    • Each verification code that is generated by your MFA device is updated every 30 seconds. Make sure that you enter the most recent and unused verification code.

    • The quick response (QR) code (key) that is displayed on the MFA binding page expired because the page expired. Refresh the page and use your MFA device to scan the new QR code.

    • If you open the MFA binding page multiple times and use your MFA device to scan the QR code each time you open the MFA binding page, the MFA device displays different verification codes for your account at the same time. In this case, you may enter invalid verification codes, which causes authentication failures. We recommend that you check whether your account is already displayed on the MFA device. If your account is displayed, remove the account and rescan the QR code. This ensures that you enter a valid verification code.

    • Bind an MFA device again.

    • If the issue persists after you use the preceding methods to troubleshoot the issue, submit a ticket. You must also provide the screenshot of the page that indicates MFA binding failures, the screenshot of your mobile phone that displays the point in time at which the binding starts, the account to which you want to bind the MFA device, and the points in time at which operations are performed during the binding.

    What do I do if an authentication failure is prompted when I attempt to perform MFA-based logon?

    • MFA is a time-based authentication method. Make sure that your mobile phone has no time deviations.

    • Make sure that the verification codes that you enter are generated for the current account. The verification codes must be most recently generated and unused.

    • If the current MFA device is unbound from the current account, and another MFA device is bound to the current account, obtain the verification codes from the new MFA device.

    • Bind an MFA device again.

    • If the issue persists after you use the preceding methods to troubleshoot the issue, submit a ticket. You must also provide the screenshot of your mobile phone that displays the point in time at which the authentication starts, the account that is required for MFA-based logon, and the points in time at which operations are performed during the authentication.

    What do I do if the MFA device is deleted by mistake or my mobile phone is lost?

    • If the MFA device is bound to an Alibaba Cloud account, submit a request based on the on-screen instructions on the verification page.

    • If the MFA device is bound to a RAM user, contact the Alibaba Cloud account to which the RAM user belongs or a RAM administrator to disable MFA for the RAM user. For more information, see Unbind an MFA device from a RAM user.

    How do I change an MFA device?

    If you want to change the MFA device that is bound to an Alibaba Cloud account or a RAM user, you can perform the following operations. The MFA device is the Alibaba Cloud app that is installed on Mobile Phone A and you want to change the MFA device to the Alibaba Cloud app that is installed on Mobile Phone B.

    Change an MFA device that is bound to an Alibaba Cloud account

    1. Log on to the RAM console.

    2. Unbind the MFA device that is installed on Mobile Phone A from the Alibaba Cloud account.

      For more information, see Unbind an MFA device from an Alibaba Cloud account.

    3. Bind the MFA device that is installed on Mobile Phone B to the Alibaba Cloud account.

      For more information, see Bind an MFA device to an Alibaba Cloud account.

    Change an MFA device that is bound to a RAM user

    If the Alibaba Cloud account to which the RAM user belongs allows the RAM user to manage an MFA device, the RAM user can unbind or bind an MFA device. If the current RAM user does not have the permissions to manage an MFA device, contact the Alibaba Cloud account to which the RAM user belongs or a RAM administrator. For more information, see Manage security settings of RAM users.

    1. Log on to the RAM console.

    2. Unbind the MFA device that is installed on Mobile Phone A from the RAM user.

      For more information, see Unbind an MFA device from a RAM user.

    3. Bind the MFA device that is installed on Mobile Phone B to the RAM user.

      For more information, see Bind an MFA device to a RAM user.

    How do I forcefully implement MFA for all RAM users or a specific RAM user when the RAM user logs on to the Alibaba Cloud Management Console?

    An Alibaba Cloud account or a RAM user who has administrative rights can modify the security settings and console logon settings of RAM users to implement MFA when the RAM users log on to the Alibaba Cloud Management Console. You can use one of the following methods:

    After you complete the preceding settings, RAM users must bind MFA devices when they log on to the Alibaba Cloud Management Console. After MFA devices are bound, RAM users must enter MFA verification codes when they log on to the Alibaba Cloud Management Console. For more information, see Bind an MFA device to a RAM user.

    How do I disable MFA for RAM users when they log on to the Alibaba Cloud Management Console?

    If you unbind an MFA device, MFA is not disabled. If you want to disable MFA for RAM users, you must modify the security settings or console logon settings of RAM users.

    1. Use an Alibaba Cloud account or a RAM user who has administrative rights to modify the security settings of RAM users.

      In the RAM User Security section, set MFA for RAM User Logons to Apply User-specific Configuration or Required Only for Unusual Logon. For more information, see Manage security settings of RAM users.

      • Apply User-specific Configuration: specifies that user-specific settings are applied. Then, you must configure other parameters for the RAM users.

      • Required Only for Unusual Logon: MFA is required only in scenarios in which a logon is initiated from a different location or device other than the common logon locations or devices.

    2. Use an Alibaba Cloud account or a RAM user who has administrative rights to modify the console logon settings of RAM users.

      In the Console Logon Management section, set Enable MFA to Not Required. For more information, see Manage console logon settings for a RAM user.