This topic describes the two-factor authentication feature and how to bind two-factor authentication methods to users when they log on to Identity as a Service (IDaaS) Enterprise Identity and Access Management (EIAM).
IDaaS EIAM supports two-factor authentication. If two-factor authentication is enabled, users must complete second-factor authentication after they log on by using their passwords. This ensures security and meets compliance requirements.
Configure two-factor authentication
Two-factor authentication is enabled by default to ensure security
Modes
IDaaS EIAM supports the following modes of two-factor authentication.
Mode | Description |
Intelligent | IDaaS EIAM decides whether two-factor authentication is required based on the context. This mode ensures security and provides smooth user experience. We recommend that you select this mode. |
Always | Two-factor authentication is required for each logon. |
Two-factor authentication methods
IDaaS EIAM supports a variety of two-factor authentication methods. Administrators can enable multiple two-factor authentication methods at the same time.
Method | Description |
One-time password (OTP) | A user uses the Alibaba Cloud app or other common OTP apps such as Google Authenticator to generate a 6-digit code to complete two-factor authentication. A user can bind an OTP app to the account on the My Account page in the IDaaS console. For more information, see Self-Service. An administrator can unbind an OTP app from an account. For more information, see the "OTP Bound" section of the Manage accounts topic. |
SMS | A text message that contains a 6-digit verification code is sent to the mobile number of an IDaaS EIAM user. If a user does not have a mobile number, this method is unavailable. Text messages are free of charge. You can view the content of text messages that are sent by IDaaS EIAM on the Branding page. For more information, see SMS and Email Content. |
An email that contains a 6-digit verification code is sent to the email address of an IDaaS EIAM user. If a user does not have an email address, this method is unavailable. You can view the email content on the Branding page. For more information, see SMS and Email Content. | |
WebAuthn | The WebAuthn authenticator is used as a second factor to implement hardware-level secure and convenient authentication. For more information, see WebAuthn. An administrator can register a WebAuthn authenticator for an account or remove a WebAuthn authenticator from an account. For more information, see the "WebAuthn-registered authenticator" section of the Manage accounts topic. |
Note: An IDaaS EIAM user must bind at least one two-factor authentication method to the account to complete two-factor authentication. We recommend that you enable Bind Two-factor Authentication for Logons or make sure that all IDaaS users can use at least one method to complete two-factor authentication.
After two-factor authentication is enabled, all IDaaS EIAM users can use the feature. Users can choose a method to complete two-factor authentication. The following figure shows an example.
Enable Bind Two-factor Authentication for Logons
After you enable Bind Two-factor Authentication for Logons, users can bind available two-factor authentication methods to their accounts during logons if the specified binding conditions are met.
Binding conditions
Users can bind two-factor authentication methods to their accounts during logons only if the accounts meet all the enabled binding conditions.
Condition | Description |
No Two-factor Authentication Method in Use | This condition is met if an account is not bound to any of the enabled two-factor authentication methods. For example, if the SMS method is enabled but an account is bound only to the email method, this condition is met. |
No Successful Logon Record | Only accounts with no successful logon records can be bound to two-factor authentication methods. We recommend that you enable this condition to reduce the risk of account theft. You can also enable this condition after two-factor authentication methods are bound to all existing users. |
Account Exists for Less Than n Days | A new account can be bound to two-factor authentication methods only after a specific period of time. We recommend that you enable this condition to reduce the risk of account theft. |
Available two-factor authentication methods
If a user meets the enabled binding conditions, the user can bind available two-factor authentication methods to the account.
In the following example, both the SMS and email methods are enabled for the IAAS EIAM instance, but only SMS is enabled as the available two-factor authentication method.
In this case, if the account of a user is not bound to a mobile number and an email address, the user can bind a mobile number but not an email address as the two-factor authentication method to the account during logons.
