FAQ about MFA - Resource Access Management - Alibaba Cloud Documentation Center

0.0.201

This topic provides answers to some frequently asked questions about multi-factor authentication (MFA), such as invalid MFA verification codes, authentication failure of MFA, changing an MFA device, and forcibly enabling and disabling MFA.

After I enter the verification code on the MFA binding page, a message indicating that the verification code is invalid appears. What do I do?

MFA is a time-based authentication method. Make sure that your mobile phone has no time deviations.
Each verification code that is generated by your MFA device is updated every 30 seconds. Make sure that you enter the most recent and unused verification code.
The quick response (QR) code (key) that is displayed on the MFA binding page expired because the page expired. Refresh the page and use your MFA device to scan the new QR code.
If you open the MFA binding page multiple times and use your MFA device to scan the QR code each time you open the MFA binding page, the MFA device displays different verification codes for your account at the same time. In this case, you may enter invalid verification codes, which causes authentication failures. We recommend that you check whether your account is already displayed on the MFA device. If your account is displayed, remove the account and rescan the QR code. This ensures that you enter a valid verification code.
Bind an MFA device again.
- Bind an MFA device to an Alibaba Cloud account again.
  1. Unbind the current MFA device.
    For more information, see Unbind a U2F security key.
  2. Bind an MFA device again.
    For more information, see Bind a U2F security key.
- Bind an MFA device to a Resource Access Management (RAM) user again.
  If the Alibaba Cloud account to which the RAM user belongs allows the RAM user to manage an MFA device, the RAM user can unbind or bind an MFA device. If the current RAM user does not have the permissions to manage an MFA device, contact the Alibaba Cloud account to which the RAM user belongs or a RAM administrator.
  1. Unbind the current MFA device.
    For more information, see Unbind an MFA device from a RAM user.
  2. Bind an MFA device again.
    For more information, see Bind an MFA device to a RAM user.
If the issue persists after you use the preceding methods to troubleshoot the issue, submit a ticket. You must also provide the screenshot of the page that indicates MFA binding failures, the screenshot of your mobile phone that displays the point in time at which the binding starts, the account to which you want to bind the MFA device, and the points in time at which operations are performed during the binding.

What do I do if an authentication failure is prompted when I attempt to perform MFA-based logon?

MFA is a time-based authentication method. Make sure that your mobile phone has no time deviations.
Make sure that the verification codes that you enter are generated for the current account. The verification codes must be most recently generated and unused.
If the current MFA device is unbound from the current account, and another MFA device is bound to the current account, obtain the verification codes from the new MFA device.
Bind an MFA device again.
- Bind an MFA device to an Alibaba Cloud account again.
  1. Unbind the current MFA device.
    For more information, see Unbind a U2F security key.
  2. Bind an MFA device again.
    For more information, see Bind a U2F security key.
- Bind an MFA device to a Resource Access Management (RAM) user again.
  If the Alibaba Cloud account to which the RAM user belongs allows the RAM user to manage an MFA device, the RAM user can unbind or bind an MFA device. If the current RAM user does not have the permissions to manage an MFA device, contact the Alibaba Cloud account to which the RAM user belongs or a RAM administrator.
  1. Unbind the current MFA device.
    For more information, see Unbind an MFA device from a RAM user.
  2. Bind an MFA device again.
    For more information, see Bind an MFA device to a RAM user.
If the issue persists after you use the preceding methods to troubleshoot the issue, submit a ticket. You must also provide the screenshot of your mobile phone that displays the point in time at which the authentication starts, the account that is required for MFA-based logon, and the points in time at which operations are performed during the authentication.

What do I do if the MFA device is deleted by mistake or my mobile phone is lost?

If the MFA device is bound to an Alibaba Cloud account, submit a request based on the on-screen instructions on the verification page.
If the MFA device is bound to a RAM user, contact the Alibaba Cloud account to which the RAM user belongs or a RAM user who has the administrative rights to disable MFA for the RAM user. For more information, see How do I disable MFA for RAM users when they log on to the Alibaba Cloud Management Console?

How do I change an MFA device?

If you want to change the MFA device that is bound to an Alibaba Cloud account or a RAM user, you can perform the following operations. The MFA device is the Alibaba Cloud app that is installed on Mobile Phone A and you want to change the MFA device to the Alibaba Cloud app that is installed on Mobile Phone B.

Change an MFA device that is bound to an Alibaba Cloud account

Log on to the Account Center.
Unbind the MFA device that is installed on Mobile Phone A from the Alibaba Cloud account.
For more information, see Unbind a U2F security key.
Bind the MFA device that is installed on Mobile Phone B to the Alibaba Cloud account.
For more information, see Bind a U2F security key.

Change an MFA device that is bound to a RAM user

If the Alibaba Cloud account to which the RAM user belongs allows the RAM user to manage an MFA device, the RAM user can unbind or bind an MFA device. If the current RAM user does not have the permissions to manage an MFA device, contact the Alibaba Cloud account to which the RAM user belongs or a RAM administrator. For more information, see Manage the security settings of RAM users.

Log on to the RAM console.
Unbind the MFA device that is installed on Mobile Phone A from the RAM user.
For more information, see Unbind an MFA device from a RAM user.
Bind the MFA device that is installed on Mobile Phone B to the RAM user.
For more information, see Bind an MFA device to a RAM user.

How do I forcibly implement MFA for all RAM users or a specific RAM user when the RAM user logs on to the Alibaba Cloud Management Console?

An Alibaba Cloud account or a RAM user who has administrative rights can modify the security settings and console logon settings of RAM users to implement MFA when the RAM users log on to the Alibaba Cloud Management Console. You can use one of the following methods:

MFA is required for all RAM users
In the MFA section of the Settings page, set MFA for RAM user sign-in to Force all users. For more information, see Manage the security settings of RAM users.
MFA is required for a specific RAM user
1. In the MFA section of the Settings page, set MFA for RAM user sign-in to Depend on each user.
  For more information, see Manage the security settings of RAM users.
2. In the Console Logon Management section, set Enable MFA to Required.
  For more information, see Create a RAM user or Manage the security settings of RAM users.

After you complete the preceding settings, RAM users must bind MFA devices when they log on to the Alibaba Cloud Management Console. After MFA devices are bound, RAM users must enter MFA verification codes when they log on to the Alibaba Cloud Management Console. For more information, see Bind an MFA device to a RAM user.

How do I disable MFA for RAM users when they log on to the Alibaba Cloud Management Console?

If you disable MFA for RAM users, the account security is compromised. We recommend that you evaluate related password leak risks before you disable MFA.

Note

To protect your Alibaba Cloud accounts and assets, MFA will be gradually applied by account ID. From March 28, 2025, the RAM users to whom the AdministratorAccess system policy is attached must perform MFA when they log on to the Alibaba Cloud Management Console. MFA cannot be disabled for such RAM users. For more information, see Notice about Alibaba Cloud enabling RAM user MFA for accounts by default.

If you unbind an MFA device, MFA is not disabled. If you want to disable MFA for RAM users, you must modify the security settings or console logon settings of RAM users.

Use an Alibaba Cloud account or a RAM user who has administrative rights to modify the security settings of RAM users.
In the MFA section of the Settings page, set MFA for RAM user sign-in to Depend on each user or Only when sign-in abnormally. For more information, see Manage the security settings of RAM users.
- Depend on each user: specifies that user-specific settings are applied. If you select this option, you must perform the following step.
- Only when sign-in abnormally: MFA is required only in scenarios in which a logon is initiated from a different location or device other than the common logon locations or devices.
Use an Alibaba Cloud account or a RAM user who has administrative rights to modify the console logon settings of RAM users.
In the Console Logon Management section, set Enable MFA to Not Required. For more information, see Manage console logon settings for a RAM user.

Feedback

Previous: FAQ about AccessKey pairsNext: FAQ about SSO

On this page （1, T）

After I enter the verification code on the MFA binding page, a message indicating that the verification code is invalid appears. What do I do?

What do I do if an authentication failure is prompted when I attempt to perform MFA-based logon?

What do I do if the MFA device is deleted by mistake or my mobile phone is lost?

How do I change an MFA device?

Change an MFA device that is bound to an Alibaba Cloud account

Change an MFA device that is bound to a RAM user

How do I forcibly implement MFA for all RAM users or a specific RAM user when the RAM user logs on to the Alibaba Cloud Management Console?

How do I disable MFA for RAM users when they log on to the Alibaba Cloud Management Console?

About Alibaba Cloud

Our Global Network

Quick Start

Global Offices

Olympic Games Paris 2024 New

Stade Roland Garros – Glitz from the Past New

Place de la Concorde – “Breaking” the Barriers New

Vaires-sur-Marne Nautical Stadium – Sports with Sustainability New

International Broadcast Center – Images, Sounds, and Data that Captivate Billions New

Customer Success Stories New

Trust Center

Security & Compliance Center

Cloud Compliance Resources

Security Compliance FAQs

Product & Feature Update New

Cloud Forward

Press Room

Alibaba Cloud e-Magazine New

Alibaba Cloud in Analyst Research

Notice

Go Global Service New

Go Global Alliance with Alibaba Cloud

Asia Accelerator Hot

Information Compliance

China Gateway - MLPS 2.0 Compliance New

China Gateway - Networking

China Gateway - Global Application Acceleration New

China Gateway - Security

China Gateway - Data Security New

ICP Support Hot

China Gateway - Omnichannel Data Mid-End New

China Gateway - Organizational Data Mid-End New

China Gateway - Business Mid-End New

China Gateway - AI Service for Conversational Chatbots New

China Gateway - Online Education

China Gateway - Domain Registration

Work at Alibaba Cloud

Experienced Professionals

Students and Graduates

Free Trial

Pricing

Promo Center

Price Reduction

Pay Less and Deploy More

FinOps

Elastic Compute Service (ECS)

Simple Application Server (SAS)

Elastic GPU Service

Elastic Desktop Service (EDS)

Object Storage Service (OSS)

Cloud Enterprise Network (CEN)

Web Application Firewall (WAF)

Domain Names

Lingma

Container Compute Service (ACS)

Secure Access Service Edge (SASE)

Intelligent Media Services(IMS)

Edge Security Acceleration (ESA)(Original DCDN)

Intelligent Media Management

DingTalk Enterprise

YiDA

Alibaba Cloud Model Studio

Apsara Prime - For Easy Cloud Product Selection

Alibaba Cloud ECS - Cater All Your Cloud Hosting Needs

1TB CDN—Get Free 1 TB Outbound Traffic Plan Now

Security—Under Attack? Get Free Security Support

Short Message Service - Free Testing is Available

Elastic Compute Service (ECS) Hot

CloudBox

Compute Nest

Dedicated Host Hot

ECS Bare Metal Instance

Elastic GPU Service Featured

Simple Application Server (SAS) Hot

Auto Scaling

Cloud Phone Beta

Elastic Desktop Service (EDS) Featured

Batch Compute

Elastic High Performance Computing (E-HPC)

Super Computing Cluster (SCC)