Multi-factor authentication (MFA) is an easy-to-use and effective authentication model and adds an extra layer of protection in addition to your username and password. MFA verifies users who initiate console logon or perform sensitive operations. This way, the security of your account is ensured. MFA does not affect API operation calls by using Accesskey pairs. This topic describes MFA methods that are supported by RAM users. This topic also describes usage notes and limits of MFA in Resource Access Management (RAM).
|Virtual MFA devices||Time-based one-time cipher algorithm (TOTP) is a multi-factor authentication protocol that is widely used. Applications that support TOTP on devices such as mobile phones are called virtual MFA devices. For example, both the Alibaba Cloud app and the Google Authenticator app are virtual MFA devices. If you enable a virtual MFA device, you must enter the 6-digit verification code that is generated on the device when you log on to the Alibaba Cloud Management Console. This prevents unauthorized logon due to password theft.||Bind a virtual MFA device to a RAM user|
|U2F security keys||Universal 2nd Factor (U2F) is a multi-factor authentication protocol that is widely used and hosted by the Fast Identity Online (FIDO) Alliance. For more information, visit Fast Identity Online (FIDO) Alliance. The protocol is used to provide an efficient and universal multi-factor authentication method. A hardware device that supports Web Authentication is a U2F security key. You can plug a U2F security key into a USB port on your computer. Then, you can complete multi-factor authentication by tapping the button on the device when you log on to the Alibaba Cloud Management Console. For more information, see Web Authentication.||Bind a U2F security key|
After you enable MFA and bind an MFA device to a RAM user, the RAM user must perform the following steps when the RAM user logs on to the Alibaba Cloud Management Console of perform sensitive operations:
- Enter the username and password of your account.
- Enter the verification code that is generated by the virtual MFA device. Alternatively, pass the U2F authentication.
- RAM users support both virtual MFA devices and U2F security keys. However, you can bind only one virtual MFA device or one U2F security key to a RAM user.
- Virtual MFA can be used when you log on to the Alibaba Cloud Management Console from a browser or the Alibaba Cloud app.
- U2F security keys have the following limits:
- U2F security keys can be used only on computers with USB ports. If you log on to the Alibaba Cloud Management Console from a browser on a mobile device or from the Alibaba Cloud app, you cannot use U2F security keys. If you use a virtual machine or Remote Desktop Services, U2F authentication is not supported.
- You can use U2F security keys only when you log on to the Alibaba Cloud Management Console by using the signin.alibabacloud.com domain name. If you use the signin-intl.aliyun.com domain name that was previously supported by Alibaba Cloud, U2F authentication is not supported.
- You can use U2F security keys in the following versions of browsers that support Web Authentication (WebAuthn):
- Google Chrome 67 and later
- Opera 54 and later
- Mozilla Firefox 60 and laterNote If you use Mozilla Firefox, you must manually enable the U2F feature by performing the following operations: Enter
about:configin the address bar of your browser to go to the browser configuration page. On this page, search for
u2fand set the security.webauth.u2f parameter to true. For more information, see the Mozilla Firefox help documentation.