Multi-factor authentication (MFA) adds an extra layer of security to your Alibaba Cloud account by requiring RAM users to provide a second form of verification in addition to their password. This topic describes the MFA methods that Resource Access Management (RAM) users can use to secure their console logon.
What is MFA and why should you configure it?
MFA adds an extra layer of protection on top of your username and password.
It requires you to provide two forms of verification when you sign in:
First verification: Enter your username and password.
Second verification: Provide another form of authentication, such as a six-digit dynamic verification code that is automatically generated by a virtual MFA device every 30 seconds.
With two-factor authentication, even if your password is compromised, no one can log on to your account without your device. This effectively prevents account theft and significantly improves account security.
Supported MFA methods
Authentication method | Description | Use cases | References |
Virtual MFA | A virtual MFA device is an application that generates time-based one-time passwords (TOTP), such as the Alibaba Cloud app or Google Authenticator. After you bind a virtual MFA device, Alibaba Cloud requires you to enter a 6-digit verification code during logon, which prevents unauthorized access from password theft. |
| |
Passkey | A passkey is a passwordless authentication method based on public key cryptography. RAM users can use a passkey to log on or as an MFA method. Passkeys use built-in biometrics (fingerprint or face) or a PIN on your device to complete authentication. |
| |
Security email address | Attach a security email address to a RAM user. The verification code sent to the security email address is used for secondary identity verification. |
|
This topic describes MFA methods for RAM users. Your Alibaba Cloud account also supports MFA but may have different setup procedures. For more information, see Configure MFA for your account.
How MFA works with RAM
When a RAM user has MFA enabled, the logon process is as follows:
The user enters their username and password on the Alibaba Cloud logon page.
If the password is correct, the system prompts the user for a second factor of authentication.
The user provides the MFA code from their registered device or authentication code received by email, or complete passkey authentication.
If the second factor is also correct, the user is authenticated and granted access to the console.
Limitations
MFA for RAM users applies only to logons to the Alibaba Cloud console through a browser or the Alibaba Cloud app. It does not protect programmatic access using AccessKey pairs.
For limitations and supported device types for passkeys, see What is a passkey?
An email address can be attached to a maximum of five RAM users.