This topic describes the basic concepts of security settings in Resource Access Management (RAM). These settings help you protect your account.
Logon password
A logon password is a credential used to verify your identity when you log on to Alibaba Cloud.
Keep your logon password secure and change it regularly.
For more information about how to set a logon password, see Modify a RAM user's logon password.
Default domain name
Alibaba Cloud assigns a default domain name to each Alibaba Cloud account. The format is <AccountAlias>.onaliyun.com. The default domain name is a unique identifier for the Alibaba Cloud account and is used in scenarios such as RAM user logon or single sign-on (SSO).
For more information, see View and modify the default domain name.
Domain alias
If you have a domain name that is resolvable on the public network, you can use it as a domain alias to replace your default domain name. A domain alias is an alias for the default domain name.
A domain alias can be used only after domain ownership verification is complete. After verification, you can use the domain alias in place of the default domain name.
For more information, see Create and verify a domain alias.
AccessKey pair
An AccessKey pair consists of an AccessKey ID and an AccessKey secret, which are used for identity verification. When you make an API request, RAM uses the AccessKey ID and AccessKey secret with symmetric encryption to verify the identity of the request sender. After successful authentication, you can operate on the corresponding resources.
The AccessKey ID and AccessKey secret are used together. The AccessKey ID identifies the user. The AccessKey secret is a key used to encrypt a signature string, which is then verified by RAM.
The AccessKey secret is displayed only when it is created and cannot be retrieved later. Keep it secure.
For more information, see Create an AccessKey pair.
Multi-factor authentication (MFA)
Multi-factor authentication (MFA) is a simple and effective security practice that adds an extra layer of protection on top of your username and password. When you log on to the console or perform sensitive operations, MFA provides secondary identity verification to improve your account security. This section describes the MFA methods that RAM users support, along with usage instructions and limits.
MFA methods
Authentication method | Description | Scenarios | References |
Virtual MFA | The Time-based One-Time Password (TOTP) algorithm is a widely used multi-factor authentication protocol. An application that supports TOTP on a mobile phone or another device, such as the Alibaba Cloud app or Google Authenticator, is called a virtual MFA device. If a user enables a virtual MFA device, Alibaba Cloud requires the user to enter the 6-digit verification code generated by the application during logon. This prevents unauthorized logon due to password theft. |
| |
Passkey | A passkey is a more secure authentication method that can replace a password. Alibaba Cloud allows RAM users to use passkeys to log on or as an MFA method. With a passkey, you can use the built-in fingerprint, face, or PIN authentication on your laptop, mobile phone, or other devices to complete logon or MFA verification. |
| |
Security email address | Attach a security email address to a RAM user. The verification code sent to the security email address is used for secondary identity verification. |
|
Usage instructions
After you enable MFA and attach an MFA device, a RAM user is required to provide two security factors when logging on to Alibaba Cloud or performing sensitive operations in the console:
First factor: Your username and password.
Second security factor: Enter the verification code from your virtual MFA device or security email address, or authenticate with a passkey.
Limits
Virtual MFA are supported for logon to Alibaba Cloud through a browser or the Alibaba Cloud app.
For the limits and supported device types for passkeys, see What is a passkey?.
A security email address can be attached to a maximum of five RAM users.
Secondary identity verification for sensitive operations
To protect account security, risk control is triggered when a RAM user with an attached MFA device performs a sensitive operation in the console. The user is then required to perform secondary identity verification. The user can perform the sensitive operation only after entering the correct verification code.
If you want to enable secondary identity verification for sensitive operations for all RAM users, you must first enforce MFA for all RAM users. For more information, see Manage security settings for RAM users.