Identity as a Service:Two-factor authentication

Mode

Scenarios

Description

Intelligent mode (recommended)

When the system detects the following high-risk logon behaviors, it automatically triggers intelligent mode verification to enhance account security:

1. Logon from an unusual geographic location. The system detects when a user logs on from an unfamiliar country/region or an unusual IP address range (for example, if a user typically logs on from Beijing but suddenly logs on from overseas).

2. Logon from an unusual device. Using an unrecorded device (such as a new phone/browser) or logging on to an account for the first time.

3. High-risk operation behavior. Attempting to access sensitive permissions (such as the administrator console) or frequently modifying account security settings (such as resetting passwords multiple times).

4. System risk policy match. The system detects the use of anonymity tools such as proxies/VPNs in the current network environment, or successful logon attempts after multiple failed logons within a short period.

After this mode is enabled, IDaaS EIAM determines whether two-factor authentication is required based on the context, reducing user complexity while ensuring security.

Always-on mode

1. Sensitive business systems with extremely high security requirements.

2. Scenarios where regulatory compliance requires verification for each logon.

3. Privileged accounts such as administrator accounts.

Two-factor authentication is required for each sign-in.

Method

Description

OTP dynamic password

Use the Alibaba Cloud app or other common OTP apps (such as Google Authenticator) to enter a 6-digit dynamic password to complete two-factor authentication.

Users can attach OTP in the account management section of the IDaaS EIAM application portal. For more information, see User self-service.

Administrators can help users detach OTP dynamic passwords. For more information, see OTP-Attached dynamic password.

SMS verification code

A 6-digit verification code is sent to the phone number associated with the IDaaS EIAM account. If the account does not have a phone number, this method cannot be used.

SMS is free of charge.

You can view the text message content in the SMS template menu.

Email verification code

A 6-digit verification code is sent to the email address associated with the IDaaS EIAM account. If the account does not have an email address, this method cannot be used.

You can view the email content in the Email template menu.

WebAuthn

Use a WebAuthn authenticator as a second authentication factor to achieve hardware-level secure and convenient authentication.

For more information, see Advanced: WebAuthn secure logon.

Administrators can help users register and delete WebAuthn authenticators. For more information, see WebAuthn-Registered authenticators.

Method

Description

Account has no available two-factor authentication method

This condition is met when the account has not attached any of the enabled two-factor authentication methods. For example, if SMS verification code authentication is enabled but the account only has an email address attached, this condition is met.

Account has no successful logon record

This condition is met if the account has never successfully logged on to IDaaS EIAM. We recommend enabling this condition (or enabling it after existing accounts have completed attachment) to reduce the risk of existing accounts being compromised.

Account created less than n days ago

This means that only new accounts can attach within a certain time period. We recommend enabling this condition to reduce the risk of existing accounts being compromised.