This topic introduces some basic concepts of security settings in the Resource Access Management (RAM) console.
password
An identity credential that is used to log on to the Alibaba Cloud Management Console.
We recommend that you change your password on a regular basis and keep your password confidential.
For more information about how to configure a logon password, see Change the logon password of a RAM user.
default domain name
The default domain name is a unique identifier of an Alibaba Cloud account. Alibaba Cloud assigns a default domain name to each Alibaba Cloud account. The format of the default domain name is <AccountAlias>.onaliyun.com. The default domain name can be used for RAM user logon and single sign-on (SSO) management.
For more information, see View and modify the default domain name.
domain alias
A custom domain name that you can use to replace the default domain name. The custom domain name must be publicly resolvable. A domain alias is the alias of the default domain name.
A custom domain can be used as a domain alias only after the ownership of the custom domain is verified. After the ownership is verified, you can use the domain alias to replace the default domain name in all scenarios in which the default domain name is required.
For more information, see Create and verify a domain alias.
AccessKey pair
An identity credential that is used to verify access identities. Each AccessKey pair consists of an AccessKey ID and an AccessKey secret. When you initiate an API request, the AccessKey ID and AccessKey secret are used for symmetric encryption and identity verification. After the identity is verified, you can manage Alibaba Cloud resources by calling operations.
The AccessKey ID is used to identify a user, and the AccessKey secret is used to encrypt and verify a signature string.
An AccessKey secret is displayed only when you create the AccessKey pair, and is unavailable for subsequent queries. We recommend that you save the AccessKey secret for subsequent use.
For more information, see Create an AccessKey pair.
multi-factor authentication (MFA)
MFA is an easy-to-use and effective authentication model and is a supplement to the username and password authentication model. MFA provides an extra layer of protection by verifying users who initiate console logon or perform sensitive operations. MFA enhances the security of your account. The following section describes MFA methods that are supported by RAM users. The following section also describes usage notes and limits of MFA in RAM.
MFA methods
MFA method | Description | Scenario | References |
Virtual MFA devices | Time-based one-time cipher algorithm (TOTP) is a multi-factor authentication protocol that is widely used. Applications that support TOTP on devices such as mobile phones are called virtual MFA devices. For example, both the Alibaba Cloud app and the Google Authenticator app are virtual MFA devices. If you enable a virtual MFA device, you must enter the 6-digit verification code that is generated on the device when you log on to the Alibaba Cloud Management Console. This prevents unauthorized logon due to password theft. |
| |
Passkeys | Passkeys are a secure authentication method that can be used as a replacement for passwords. RAM users can use passkeys for logons and MFA. A passkey allows you to use the authentication methods built in your laptop, mobile phone, or other devices for logons or MFA. The built-in authentication methods include fingerprint recognition, facial recognition, and PIN codes. |
| |
Email addresses | Email addresses bound to RAM users are used to receive verification code for MFA. | Sensitive operations |
Usage notes
After you enable MFA and bind an MFA device to a RAM user, the RAM user must perform the following steps when the RAM user logs on to the Alibaba Cloud Management Console or perform sensitive operations in the console:
Enter the username and password of the RAM user.
Enter the verification code that is generated by the virtual MFA device or that is sent to the secure email address. Alternatively, use the passkey to pass authentication.
Limits
Virtual MFA can be used when you log on to the Alibaba Cloud Management Console from a browser or the Alibaba Cloud app.
For more information about the limits on passkeys and the device types supported by passkeys, see What is a passkey?
An email address can be bound to a maximum of five RAM users.
MFA for sensitive operations
MFA is required for sensitive operations. If a RAM user for which an MFA method is enabled wants to perform a sensitive operation in the Alibaba Cloud Management Console, risk control is triggered and the RAM user is required to pass identity authentication again. The RAM user can perform the sensitive operation only after the RAM user enters a valid verification code.
Before you can implement identity authentication for sensitive operations for all RAM users, you must enable MFA for all RAM users. For more information, see Manage the security settings of RAM users.