All Products
Search
Document Center

Elastic Desktop Service:Configure MFA

Last Updated:Aug 14, 2024

Multi-factor authentication (MFA) adds an extra layer of protection to the authentication process. After you configure MFA, end users must provide the usernames and passwords, as well as the verification codes sent by virtual MFA devices when they log on to Alibaba Cloud Workspace terminals. This topic describes how to configure MFA.

Background information

MFA is a simple and effective authentication method designed to enhance security. After you enable MFA for office networks or organization IDs, end users must associate their accounts to virtual MFA devices the first time they log on to Alibaba Cloud Workspace terminals. Then, the next time they log on to the terminals, the system authenticates user identities based on the following factors:

  • First factor: the username and password

  • Second factor: the verification code generated by the virtual MFA device

Note

Time-based One-Time Password (TOTP) is a widely used multi-factor authentication protocol. Applications on mobile phones or other devices that support TOTP are called virtual MFA devices. For example, the Alibaba Cloud app and the Google Authenticator app are virtual MFA devices. If end users associate their accounts to virtual MFA devices, Alibaba Cloud requires them to present a 6-digit verification code generated by the virtual MFA devices upon their logon to verify their identities. This effectively prevents unauthorized access caused by password theft.

Elastic Desktop Service (EDS) supports software-based virtual MFA devices. You can install virtual MFA devices such as the Alibaba Cloud app on your mobile phone.

Enable MFA for an office network

  1. Log on to the EDS console.

  2. In the left-side navigation pane, choose Networks & Storage > Office Networks.

  3. In the upper-left corner of the top navigation bar, select a region.

  4. On the Office Networks page, find the office network that you want to manage and click the ID of the office network.

  5. Turn on MFA in the Other Information section.

    Note

    Make sure that the Client Logon Verification and SSO switches are turned off.

After you enable MFA for the office network, end users must provide an MFA verification code when they connect to cloud computers in the office network from Alibaba Cloud Workspace terminals.

Enable MFA for an organization ID

  1. In the left-side navigation pane, choose Users & Logons > Logon Settings.

  2. On the Security tab of the Logon Settings page, turn on MFA.

After MFA is enabled for an organization ID, end users must enter MFA verification code when they use the organization ID to log on to Alibaba Cloud Workspace terminals.

Delete a virtual MFA device

After you turn on the MFA switch in the EDS console, end users must associate virtual MFA devices to their accounts the first time they log on to Alibaba Cloud Workspace terminals. After end users change their virtual MFA devices, you must delete the original devices in the EDS console. After you delete virtual MFA devices, end users must associate new devices upon their next logon to Alibaba Cloud Workspace terminals.

Delete a virtual MFA device of a convenience user

  1. In the left-side navigation pane, choose Users & Logons > Users & Organizations.

  2. On the User tab of the Users & Organizations page, find the user that you want to manage, click the ⋮ icon in the Actions column, and then click Manage MFA Device.

  3. In the Manage MFA Device dialog box, find the desired virtual MFA device and click Delete in the Actions column. Then, click OK.

Delete a virtual MFA device of an enterprise AD user

Delete a virtual MFA device of an enterprise Active Directory (AD) user in an office network

  1. In the left-side navigation pane, choose Resources & Terminals > Cloud Computers.

  2. In the upper-left corner of the top navigation bar, select a region.

  3. On the Cloud Computers page, find the cloud computer that is assigned to the enterprise AD user, click the ⋮ icon in the Actions column, and then click Manage MFA Device.

  4. In the Manage MFA Device panel, follow the instructions to delete the virtual MFA device.

Note

If you enable MFA for an office network and end users bind virtual MFA devices to their enterprise AD accounts upon first logons to Alibaba Cloud Workspace terminals, the system locks the virtual MFA devices for 1 hour after 10 consecutive failed verification attempts. If the end users want to log on to Alibaba Cloud Workspace terminals when virtual MFA devices are locked, you can call the UnlockVirtualMFADevice operation to unlock the devices or call the DeleteVirtualMFADevice operation to delete the devices and allow the end users to associate other virtual MFA devices.

Delete a virtual MFA device of an enterprise AD user in an organization ID

  1. In the left-side navigation pane, choose Users & Logons > Logon Settings.

  2. On the Security tab of the Logon Settings page, find the AD domain that you want to manage and click Manage MFA Device to the right of the domain name.

  3. In the Manage MFA Device panel, delete the virtual MFA device as prompted.