Multi-factor authentication (MFA) is an easy-to-use and effective authentication model and adds an extra layer of protection in addition to your username and password. MFA verifies users who initiate console logon or perform sensitive operations in the console. This way, the security of your account is ensured. MFA does not affect API operation calls by using AccessKey pairs. This topic describes MFA methods that are supported by RAM users. This topic also describes usage notes and limits of MFA in Resource Access Management (RAM).
MFA types
MFA method | Description | Scenario | References |
Virtual MFA devices | Time-based one-time cipher algorithm (TOTP) is a multi-factor authentication protocol that is widely used. Applications that support TOTP on devices such as mobile phones are called virtual MFA devices. For example, both the Alibaba Cloud app and the Google Authenticator app are virtual MFA devices. If you enable a virtual MFA device, you must enter the 6-digit verification code that is generated on the device when you log on to the Alibaba Cloud Management Console. This prevents unauthorized logon due to password theft. |
| |
Passkeys | Passkeys are a secure authentication method that can be used as a replacement for passwords. RAM users can use passkeys for logons and MFA. A passkey allows you to use the authentication methods built in your laptop, mobile phone, or other devices for logons or MFA. The built-in authentication methods include fingerprint recognition, facial recognition, and PIN codes. |
| |
Email addresses | Email addresses bound to RAM users are used to receive verification code for MFA. | Sensitive operations |
This topic describes the MFA methods for RAM users. For more information about the MFA methods for Alibaba Cloud accounts and related operations, see Bind a U2F security key.
Usage notes
After you enable MFA and bind an MFA device to a RAM user, the RAM user must perform the following steps when the RAM user logs on to the Alibaba Cloud Management Console or perform sensitive operations in the console:
Enter the username and password of the RAM user.
Enter the verification code that is generated by the virtual MFA device or that is sent to the secure email address. Alternatively, use the passkey to pass authentication.
Limits
Virtual MFA can be used when you log on to the Alibaba Cloud Management Console from a browser or the Alibaba Cloud app.
For more information about the limits on passkeys and the device types supported by passkeys, see What is a passkey?
An email address can be bound to a maximum of five RAM users.