All Products
Search

This Product

    Resource Access Management:Bind an MFA device to a RAM user

    Document Center

    Resource Access Management:Bind an MFA device to a RAM user

    Last Updated:Feb 14, 2025

    Multi-factor authentication (MFA) is a supplement to the username and password authentication model for console logons and sensitive operations in the console. To ensure the security of a Resource Access Management (RAM) user, you can bind an MFA device to the RAM user. The MFA device can help verify the identity of the RAM user.

    Background information

    • RAM users support multiple MFA methods. For more information about scenarios of and differences between MFA methods, see What is multi-factor authentication?

    • To implement MFA, you must configure allowed MFA methods in the security settings of RAM users and perform operations in the topic to bind an MFA device. For more information, see Manage the security settings of RAM users.

    • Original Universal 2nd Factor (U2F) security keys are upgraded to passkeys. If a U2F security key is bound, we recommend that the U2F security key be upgraded to a passkey. For more information, see Upgrade a U2F security key to a passkey.

    Bind a virtual MFA device

    Prerequisites

    An app that supports virtual MFA is downloaded and installed on your mobile device. The following example describes how to download and install the Google Authenticator app:

    • If your mobile device runs iOS, download and install the Google Authenticator app from the App Store.

    • If your mobile device runs Android, download and install the Google Authenticator app from Google Play.

      Note

      If your mobile device runs Android, you must also download and install a quick response (QR) code scanner from an app store for Google Authenticator to identify QR codes.

    Procedure

    Bind a virtual MFA device on the RAM User Logon page

    If you use a RAM user to log on, you can perform the following operations to bind a virtual MFA device.

    1. Go to the RAM User Logon page and enter the username and password of the RAM user.

    2. Select Virtual MFA Device.

      image

    3. On your mobile device, enable a virtual MFA device.

      Note

      The following example shows how to bind a virtual MFA device in the Google Authenticator app on your mobile device that runs iOS.

      1. Open the Google Authenticator app.

      2. Tap Get started and select one of the following methods to enable a virtual MFA device:

        • Tap Scan a QR code in the Google Authenticator app and scan the QR code that is displayed on the virtual MFA binding page of the Alibaba Cloud Management Console. This method is recommended.

        • Tap Enter a setup key and enter the account and key from the virtual MFA binding page of the Alibaba Cloud Management Console. Then, click Add.

    4. In the Alibaba Cloud Management Console, enter the one-time password that is displayed in the Google Authenticator app. Then, click the confirmation button.

    Bind a virtual MFA device in the RAM console

    You can bind a virtual MFA device to a RAM user in the RAM console by using an Alibaba Cloud account or a RAM user who has administrative rights.

    1. Log on to the RAM console with an Alibaba Cloud account or a RAM user who has administrative rights.

    2. In the left-side navigation pane, choose Identities > Users.

    3. In the User Logon Name/Display Name column, click the username of the RAM user that you want to manage.

    4. In the Security Information Management section of the Authentication tab, click the copy icon next to Bind VMFA Link and open the link in your browser.

      image

    5. On your mobile device, enable a virtual MFA device.

      Note

      The following example shows how to bind a virtual MFA device in the Google Authenticator app on your mobile device that runs iOS.

      1. Open the Google Authenticator app.

      2. Tap Get started and select one of the following methods to enable a virtual MFA device:

        • Tap Scan a QR code in the Google Authenticator app and scan the QR code that is displayed on the virtual MFA binding page of the Alibaba Cloud Management Console. This method is recommended.

        • Tap Enter a setup key and enter the account and key from the virtual MFA binding page of the Alibaba Cloud Management Console. Then, click Add.

    6. In the Alibaba Cloud Management Console, enter the one-time password that is displayed in the Google Authenticator app. Then, click the confirmation button.

    Bind a virtual MFA device on the Security page

    If RAM users are allowed to manage their MFA devices, the RAM users can perform the following operations to bind their virtual MFA devices. For more information about how to allow RAM users to manage their MFA devices, see Global security settings.

    1. On the RAM User Logon page, enter the username and password of a RAM user and perform the operations required for logon.

    2. Move the pointer over the profile picture in the upper-right corner and click Security Information.

      image

    3. In the MFA Information section of the Security page, click Bind VMFA next to MFA Device.

      image

    4. On your mobile device, enable a virtual MFA device.

      Note

      The following example shows how to bind a virtual MFA device in the Google Authenticator app on your mobile device that runs iOS.

      1. Open the Google Authenticator app.

      2. Tap Get started and select one of the following methods to enable a virtual MFA device:

        • Tap Scan a QR code in the Google Authenticator app and scan the QR code that is displayed on the virtual MFA binding page of the Alibaba Cloud Management Console. This method is recommended.

        • Tap Enter a setup key and enter the account and key from the virtual MFA binding page of the Alibaba Cloud Management Console. Then, click Add.

    5. In the Alibaba Cloud Management Console, enter the one-time password that is displayed in the Google Authenticator app. Then, click the confirmation button.

    Note

    You can select Enable for the Allow to remember MFA validation for 7 days parameter for RAM users. Then, when a RAM user performs MFA during logon, the RAM user can select the related option to allow the current logged-on device to remember the MFA status of the RAM user for seven days. Within seven days after the logon, MFA is not required for the RAM user. However, if the RAM user logs out of the current device and another RAM user tries to log on, MFA is required. For more information, see Manage the security settings of RAM users.

    Bind a passkey

    A RAM user can bind and save a passkey to a computer or mobile device. A RAM user can also bind and use a security key. After the binding is complete, the RAM user can use the passkey to log on to the Alibaba Cloud Management Console or implement MFA. A passkey-based authentication system first authenticates the binding between a device and passkey to verify the device validity. Then, the system uses authentication methods built in the device to authenticate the device owner. The built-in authentication methods are fingerprint recognition, facial recognition, and PIN codes. Before you bind a passkey, make sure that you understand the limits on passkeys and the device types supported by passkeys. For more information, see What is a passkey?

    Bind a passkey on the RAM User Logon page

    If you use a RAM user to log on, you can perform the following operations to bind a passkey.

    1. Go to the RAM User Logon page and enter the username and password of the RAM user.

    2. Select Passkey.

      image

    3. On the Bind Passkey page, bind a passkey.

    Bind a passkey on the Security page

    1. On the RAM User Logon page, enter the username and password of a RAM user and perform the operations required for logon.

    2. Move the pointer over the profile picture in the upper-right corner and click Security Information.

      image

    3. In the Passkey section of the Security page, click Create Passkey.

      image

    4. On the Bind Passkey page, bind a passkey.

    Upgrade a U2F security key to a passkey

    If a U2F security key is bound to a RAM user, the RAM user can use the U2F security key as expected. We recommend that the RAM user upgrade the U2F security key to a passkey.

    1. On the RAM User Logon page, enter the username and password of a RAM user and perform the operations required for logon.

    2. Move the pointer over the profile picture in the upper-right corner and click Security Information.

      image

    3. In the MFA Information section of the Security page, click Update to Passkey next to MFA Device.

      image

    4. In the Update U2F to Passkey message, click OK.

      image

    5. On the Bind Passkey page, bind a security key.

      For more information, see Bind a security key.

    What to do next

    After you enable MFA and bind an MFA device to a RAM user, the RAM user must perform the following steps when the RAM user logs on to the Alibaba Cloud Management Console or perform sensitive operations in the console:

    1. Enter the username and password of the RAM user.

    2. Enter the verification code that is generated by the virtual MFA device. Alternatively, use the passkey to pass authentication.

    Important

    • If you want to change the MFA device that is bound to a RAM user, you must unbind the existing MFA device before you bind another MFA device to the RAM user. For more information, see Unbind an MFA device from a RAM user.

    • If the MFA app (Google Authenticator) is uninstalled before a RAM user unbinds the MFA device, or the U2F security key is lost, the RAM user cannot log on to the Alibaba Cloud Management Console. In this case, the RAM user must contact the Alibaba Cloud account to which the RAM user belongs or a RAM user who has administrative rights to log on to the RAM console and unbind the MFA device. For more information, see Unbind an MFA device from a RAM user.