Multi-factor authentication (MFA) adds an extra layer of protection to the authentication process. After you configure MFA, end users must provide the usernames, passwords, and dynamic codes sent by virtual MFA devices when they log on to Alibaba Cloud Workspace terminals. This topic describes how to configure MFA.
Background information
MFA is a simple and effective authentication method used to enhance security. After you activate MFA for office networks or organization IDs, Alibaba Cloud Workspace terminals require end users to go through two-level verification every time they log on.
First-level: Enter the correct username and password.
Second-level: Enter the dynamic code generated by the virtual MFA device.
NoteTime-based One-Time Password (TOTP) is a widely used multi-factor authentication protocol. Applications on mobile phones or other devices that support TOTP are called virtual MFA devices. Several examples of virtual MFA devices are Google Authenticator and Microsoft Authenticator. When MFA is activated, end users must enter a six-digit code dynamically generated by their virtual MFA devices when they log on to Alibaba Cloud Workspace terminals. This prevents unauthorized access due to compromised passwords.
Alibaba Cloud Workspace terminals support software-based virtual MFA devices. You can install TOTP-based virtual MFA devices, such as Google Authenticator and Microsoft Authenticator, on your mobile phones.
Enable MFA for an office network
Log on to the EDS Enterprise console.
In the left-side navigation pane, choose
.In the upper-left corner of the top navigation bar, select a region.
On the Office Networks page, find the office network that you want to manage and click the ID of the office network.
In the Other Information section, turn on the MFA switch. In the message that appears, click OK.
NoteMake sure that the Client Logon Verification and SSO switches are turned off.
After you enable MFA for an office network, end users must enter a dynamic MFA code when they log on to Alibaba Cloud Workspace terminals in this office network.
Enable MFA for an organization ID
Log on to the EDS Enterprise console.
In the left-side navigation pane, choose
.On the Security tab of the Logon Settings page, turn on the MFA switch.
After you enable MFA for an office network, end users who use the organization ID must enter a dynamic MFA code when they log on to Alibaba Cloud Workspace terminals.
Delete a virtual MFA device
After you turn on the MFA switch in the EDS console, end users must bind virtual MFA devices to their convenience accounts the first time they log on to Alibaba Cloud Workspace terminals. If end users change their virtual MFA devices, you must delete the original devices in the EDS console. After you delete virtual MFA devices, end users must bind new devices to their convenience accounts the next time they log on to Alibaba Cloud Workspace terminals.
Delete a virtual MFA device of a convenience user
In the left-side navigation pane, choose
.In the left-side navigation pane, choose
.On the User tab of the Users & Organizations page, find the user that you want to manage, click the ⋮ icon in the Actions column, and then click Manage MFA Device.
In the Manage MFA Device dialog box, find the MFA device that you want to delete and click Delete in the Actions column. In the message that appears, click OK.