All Products
Search

This Product

    Resource Access Management:MFA methods supported by RAM

    Document Center

    Resource Access Management:MFA methods supported by RAM

    Last Updated:Nov 14, 2025

    This topic describes the MFA methods supported by RAM users and the corresponding usage notes and limitations.

    What is MFA and why should you configure it?

    MFA adds an extra layer of protection on top of your username and password.

    It requires you to provide two forms of verification when you sign in:

    1. First verification: Enter your username and password.

    2. Second verification: Provide another form of authentication, such as a six-digit dynamic verification code that is automatically generated by a virtual MFA device every 30 seconds.

    With two-factor authentication, even if your password is compromised, no one can log on to your account without your device. This effectively prevents account theft and significantly improves account security.

    MFA methods supported by RAM

    MFA method

    Description

    Scenario

    References

    Virtual MFA devices

    Time-based one-time cipher algorithm (TOTP) is a multi-factor authentication protocol that is widely used. Applications that support TOTP on devices such as mobile phones are called virtual MFA devices. For example, both the Alibaba Cloud app and the Google Authenticator app are virtual MFA devices. If you enable a virtual MFA device, you must enter the 6-digit verification code that is generated on the device when you log on to the Alibaba Cloud Management Console. This prevents unauthorized logon due to password theft.

    • Console logons

    • Sensitive operations

    Bind a virtual MFA device

    Passkeys

    Passkeys are a secure authentication method that can be used as a replacement for passwords. RAM users can use passkeys for logons and MFA. A passkey allows you to use the authentication methods built in your laptop, mobile phone, or other devices for logons or MFA. The built-in authentication methods include fingerprint recognition, facial recognition, and PIN codes.

    • Console logons

    • Sensitive operations

    Bind a passkey

    Email addresses

    Email addresses bound to RAM users are used to receive verification code for MFA.

    • Console logons

    • Sensitive operations

    Bind an email address

    Note

    This topic describes the MFA methods for RAM users. For more information about the MFA methods for an Alibaba Cloud account, see Configure MFA for your account.

    Usage notes

    After you enable MFA and bind an MFA device to a RAM user, the RAM user must perform the following steps when the RAM user logs on to the Alibaba Cloud Management Console or perform sensitive operations in the console:

    1. Enter the username and password of the RAM user.

    2. Enter the verification code that is generated by the virtual MFA device or that is sent to the email address. Alternatively, use the passkey to pass authentication.

    Limitations

    • Virtual MFA can be used when you log on to the Alibaba Cloud Management Console from a browser or the Alibaba Cloud app.

    • For more information about the limits on passkeys and the device types supported by passkeys, see What is a passkey?

    • An email address can be bound to a maximum of five RAM users.