All Products
Search

This Product

    Bastionhost:Enable two-factor authentication

    Document Center

    Bastionhost:Enable two-factor authentication

    Last Updated:Aug 09, 2024

    A Bastionhost administrator can enable two-factor authentication for a user based on text messages, emails, DingTalk notifications, or one-time password (OTP) tokens. This way, after the user passes the password authentication, two-factor authentication is implemented before the user logs on to the Bastionhost. This helps reduce the risks caused by password leaks. This topic describes how to enable two-factor authentication.

    Background information

    • In the Bastionhost console, you can enable two-factor authentication for all local users, Active Directory (AD)-authenticated users, and Lightweight Directory Access Protocol (LDAP)-authenticated users. To enable two-factor authentication for a Resource Access Management (RAM) user, log on to the RAM console. For more information, see Bind an MFA device to an Alibaba Cloud account.

    • The global two-factor authentication settings that you configure on the System Settings page have a lower priority than the two-factor authentication settings for a specific user. For more information, see Manage users.

    Procedure

    1. Log on to the Bastionhost console. In the top navigation bar, select the region in which your bastion host resides.

    2. In the bastion host list, find the bastion host that you want to manage and click Manage.

    3. In the left-side navigation pane, click System Settings.

    4. On the System Settings page, click the Two-factor Authentication tab.

    5. Turn on Enable Two-factor Authentication, select one or more values for Authentication Method, and then click Save.

      Parameter

      Description

      Authentication Method

      Text Message

      Specifies that two-factor authentication is implemented by using text messages.

      If you select this value, you must specify the mobile phone number of the user who wants to perform O&M operations. Otherwise, the user cannot receive verification codes. For more information about how to specify the mobile phone number of a user, see Modify the basic information about a local user.

      Email

      Specifies that two-factor authentication is implemented by using emails.

      If you select this value, you must specify the email address of the user who wants to perform O&M operations. Otherwise, the user cannot receive verification codes. For more information about how to specify the email address of a user, see Modify the basic information about a local user.

      DingTalk

      Specifies that two-factor authentication is implemented by using DingTalk notifications.

      If you select this value, you must make sure that the following requirements are met:

      • The mobile phone number of the user who wants to perform O&M operations is specified. For more information about how to specify the mobile phone number of a user, see Modify the basic information about a local user.

      • An internal enterprise application is created by the DingTalk administrator, and the operation that is used to obtain member information based on the mobile phone numbers and names of the members is activated for the application.

      • The values of AppKey, AppSecret, and AgentId of the internal enterprise application are obtained.

      OTP App

      Specifies that two-factor authentication is implemented by using OTP tokens.

      If you select this value, the user must perform the following steps to log on to a bastion host: Download a standard time-based one-time password (TOTP) authentication app, such as the Alibaba Cloud app. Then, log on to the O&M portal of the bastion host by using a public endpoint. In the left-side navigation pane, click Security Settings. On the Enable OTP tab, click Bind OTP App and scan the QR code to bind the OTP token for authentication. For more information about how to log on to the O&M portal of a bastion host, see Log on to the O&M portal.

      Language

      The natural language used to send two-factor notifications. You can select Simplified Chinese or English.

      If the two-factor code is correct, you do not need to enter the code for

      The time period during which a user does not need to enter a two-factor authentication code. Valid values: 0 to 168 hours or 0 to 7 days. The default value 0 hours indicates that the user must enter a two-factor authentication code upon each logon.

      During the time period specified by this parameter, the user from the same source IP address does not need to enter a two-factor authentication code.

    Supported countries and areas

    Country or area

    Calling code

    Areas in China

    Hong Kong (China): +852

    Macao (China): +853

    Taiwan (China): +886

    Chinese mainland: +86

    Countries and areas outside China

    Australia: +61

    Poland: +48

    Germany: +49

    UAE: +971

    Russia: +7

    France: +33

    Philippines: +63

    Republic of Korea: +82

    Malaysia: +60

    United States: +1

    Japan: +81

    Sweden: +46

    Switzerland: +41

    Spain: +34

    Singapore: +65

    Israel: +972

    Italy: +39

    India: +91

    Indonesia: +62

    United Kingdom: +44

    Saudi Arabia: +966

    Thailand: +66

    Vietnam:+84

    Cambodia: +855