All Products
Search
Document Center

Elastic Desktop Service:Configure MFA

Last Updated:Dec 09, 2024

Multi-factor authentication (MFA) adds an extra layer of protection to the authentication process. After you configure MFA, end users must provide the usernames, passwords, and dynamic codes sent by virtual MFA devices when they log on to Alibaba Cloud Workspace terminals. This topic describes how to configure MFA.

Background information

MFA is a simple and effective authentication method used to enhance security. After you activate MFA for office networks or organization IDs, Alibaba Cloud Workspace terminals require end users to go through two-level verification every time they log on.

  • First-level: Enter the correct username and password.

  • Second-level: Enter the dynamic code generated by the virtual MFA device.

    Note

    Time-based One-Time Password (TOTP) is a widely used multi-factor authentication protocol. Applications on mobile phones or other devices that support TOTP are called virtual MFA devices. Several examples of virtual MFA devices are Google Authenticator and Microsoft Authenticator. When MFA is activated, end users must enter a six-digit code dynamically generated by their virtual MFA devices when they log on to Alibaba Cloud Workspace terminals. This prevents unauthorized access due to compromised passwords.

Alibaba Cloud Workspace terminals support software-based virtual MFA devices. You can install TOTP-based virtual MFA devices, such as Google Authenticator and Microsoft Authenticator, on your mobile phones.

Enable MFA for an office network

  1. Log on to the EDS Enterprise console.

  2. In the left-side navigation pane, choose Networks & Storage > Office Networks.

  3. In the upper-left corner of the top navigation bar, select a region.

  4. On the Office Networks page, find the office network that you want to manage and click the ID of the office network.

  5. In the Other Information section, turn on the MFA switch. In the message that appears, click OK.

    Note

    Make sure that the Client Logon Verification and SSO switches are turned off.

After you enable MFA for an office network, end users must enter a dynamic MFA code when they log on to Alibaba Cloud Workspace terminals in this office network.

Enable MFA for an organization ID

  1. Log on to the EDS Enterprise console.

  2. In the left-side navigation pane, choose Users > Logon Settings.

  3. On the Security tab of the Logon Settings page, turn on the MFA switch.

After you enable MFA for an office network, end users who use the organization ID must enter a dynamic MFA code when they log on to Alibaba Cloud Workspace terminals.

Delete a virtual MFA device

After you turn on the MFA switch in the EDS console, end users must bind virtual MFA devices to their convenience accounts the first time they log on to Alibaba Cloud Workspace terminals. If end users change their virtual MFA devices, you must delete the original devices in the EDS console. After you delete virtual MFA devices, end users must bind new devices to their convenience accounts the next time they log on to Alibaba Cloud Workspace terminals.

Delete a virtual MFA device of a convenience user

  1. In the left-side navigation pane, choose Resources > Cloud Computers.

  2. In the left-side navigation pane, choose Users > Users & Organizations.

  3. On the User tab of the Users & Organizations page, find the user that you want to manage, click the icon in the Actions column, and then click Manage MFA Device.

  4. In the Manage MFA Device dialog box, find the MFA device that you want to delete and click Delete in the Actions column. In the message that appears, click OK.

Delete a virtual MFA device of an enterprise AD user

Delete a virtual MFA device of an enterprise Active Directory (AD) user from an office network

  1. In the left-side navigation pane, choose Resources > Cloud Computers.

  2. In the upper-left corner of the top navigation bar, select a region.

  3. On the cloud computers page, find the cloud computer that is assigned to the desired enterprise AD user, click the ⋮ icon in the Actions column, and then click Manage MFA Device.

  4. In the Manage MFA Device panel, delete the virtual MFA device as prompted.

Note

If you enable MFA for an office network and end users bind virtual MFA devices to their enterprise AD accounts the first time they log on to Alibaba Cloud Workspace terminals, the system locks the virtual MFA devices for 1 hour after 10 consecutive failed verification attempts. If the end users want to log on to Alibaba Cloud Workspace terminals when virtual MFA devices are locked, you can call the UnlockVirtualMFADevice operation to unlock the devices or call the DeleteVirtualMFADevice operation to delete the devices and allow the end users to bind other virtual MFA devices to their enterprise AD accounts.

Delete a virtual MFA device of an enterprise AD user from an organization ID

  1. In the left-side navigation pane, choose Resources > Cloud Computers.

  2. In the left-side navigation pane, choose Users > Logon Settings.

  3. On the Security tab of the Logon Settings page, find the AD domain that you want to manage and click Manage MFA Device to the right of the domain name.

  4. In the Manage MFA Device panel, delete the virtual MFA device as prompted.