All Products
Search
Document Center

Resource Access Management:What is multi-factor authentication?

Last Updated:Mar 19, 2025

Multi-factor authentication (MFA) is an easy-to-use and effective authentication model and adds an extra layer of protection in addition to your username and password. MFA verifies users who initiate console logon or perform sensitive operations in the console. This way, the security of your account is ensured. MFA does not affect API operation calls by using AccessKey pairs. This topic describes MFA methods that are supported by RAM users. This topic also describes usage notes and limits of MFA in Resource Access Management (RAM).

MFA types

MFA method

Description

Scenario

References

Virtual MFA devices

Time-based one-time cipher algorithm (TOTP) is a multi-factor authentication protocol that is widely used. Applications that support TOTP on devices such as mobile phones are called virtual MFA devices. For example, both the Alibaba Cloud app and the Google Authenticator app are virtual MFA devices. If you enable a virtual MFA device, you must enter the 6-digit verification code that is generated on the device when you log on to the Alibaba Cloud Management Console. This prevents unauthorized logon due to password theft.

  • Console logons

  • Sensitive operations

Bind a virtual MFA device

Passkeys

Passkeys are a secure authentication method that can be used as a replacement for passwords. RAM users can use passkeys for logons and MFA. A passkey allows you to use the authentication methods built in your laptop, mobile phone, or other devices for logons or MFA. The built-in authentication methods include fingerprint recognition, facial recognition, and PIN codes.

  • Console logons

  • Sensitive operations

Bind a passkey

Email addresses

Email addresses bound to RAM users are used to receive verification code for MFA.

Sensitive operations

Bind an MFA device to a RAM user

Note

This topic describes the MFA methods for RAM users. For more information about the MFA methods for Alibaba Cloud accounts and related operations, see Bind a U2F security key.

Usage notes

After you enable MFA and bind an MFA device to a RAM user, the RAM user must perform the following steps when the RAM user logs on to the Alibaba Cloud Management Console or perform sensitive operations in the console:

  1. Enter the username and password of the RAM user.

  2. Enter the verification code that is generated by the virtual MFA device or that is sent to the secure email address. Alternatively, use the passkey to pass authentication.

Limits

  • Virtual MFA can be used when you log on to the Alibaba Cloud Management Console from a browser or the Alibaba Cloud app.

  • For more information about the limits on passkeys and the device types supported by passkeys, see What is a passkey?

  • An email address can be bound to a maximum of five RAM users.