Supported multi factor authentication methods and usage - Resource Access Management

This topic describes the MFA methods supported by RAM users and the corresponding usage notes and limitations.

What is MFA and why should you configure it?

Multi-Factor Authentication (MFA) is a security best practice that adds an extra layer of protection on top of your username and password.

When you enable MFA, you must complete two verification steps to log on to Alibaba Cloud:

First verification: Enter your username and password.
Second verification: Use another authentication method, such as a six-digit dynamic code generated by a virtual MFA device every 30 seconds.

With this two-step verification, even if your password is compromised, no one can log on to your account without your physical device. This helps prevent account theft and greatly improves security.

MFA methods supported by RAM

Authentication method	Description	Use cases	References
Virtual MFA	A virtual MFA device is an application that generates time-based one-time passwords (TOTP), such as the Alibaba Cloud app or Google Authenticator. After you bind a virtual MFA device, Alibaba Cloud requires you to enter a 6-digit verification code during logon, which prevents unauthorized access from password theft.	Secondary identity verification for console logon Secondary identity verification for sensitive operations	Bind an MFA device for a RAM user
Passkey	A passkey is a passwordless authentication method based on public key cryptography. RAM users can use a passkey to log on or as an MFA method. Passkeys use built-in biometrics (fingerprint or face) or a PIN on your device to complete authentication.	Secondary identity verification for console logon Secondary identity verification for sensitive operations	Bind a passkey
Security email address	Attach a security email address to a RAM user. The verification code sent to the security email address is used for secondary identity verification.	Secondary identity verification for console logon Secondary identity verification for sensitive operations	Attach a security email address

Note

This topic describes the MFA methods for RAM users. For more information about the MFA methods for an Alibaba Cloud account, see Configure MFA for your account.

Usage notes

After you enable MFA and bind an MFA device to a RAM user, the user must provide two security factors when logging on or performing sensitive operations:

First factor: username and password.
Second factor: an MFA code from a virtual MFA device or security email address, or passkey authentication.

Limitations

Virtual MFA devices support logon through a browser or the Alibaba Cloud app.
For limitations and supported device types for passkeys, see What is a passkey?.
A security email address can be attached to a maximum of five RAM users.