Multi-factor authentication (MFA) adds an extra layer of protection to the authentication process. After you configure MFA, end users must provide the usernames and passwords, as well as the verification codes sent by virtual MFA devices when they log on to Alibaba Cloud Workspace terminals. This topic describes how to configure MFA.
Background information
MFA is a simple and effective authentication method designed to enhance security. After you enable MFA for office networks or organization IDs, end users must associate their accounts to virtual MFA devices the first time they log on to Alibaba Cloud Workspace terminals. Then, the next time they log on to the terminals, the system authenticates user identities based on the following factors:
First factor: the username and password
Second factor: the verification code generated by the virtual MFA device
Time-based One-Time Password (TOTP) is a widely used multi-factor authentication protocol. Applications on mobile phones or other devices that support TOTP are called virtual MFA devices. For example, the Alibaba Cloud app and the Google Authenticator app are virtual MFA devices. If end users associate their accounts to virtual MFA devices, Alibaba Cloud requires them to present a 6-digit verification code generated by the virtual MFA devices upon their logon to verify their identities. This effectively prevents unauthorized access caused by password theft.
Elastic Desktop Service (EDS) supports software-based virtual MFA devices. You can install virtual MFA devices such as the Alibaba Cloud app on your mobile phone.
Enable MFA for an office network
Log on to the EDS console.
In the left-side navigation pane, choose
.In the upper-left corner of the top navigation bar, select a region.
On the Office Networks page, find the office network that you want to manage and click the ID of the office network.
Turn on MFA in the Other Information section.
NoteMake sure that the Client Logon Verification and SSO switches are turned off.
After you enable MFA for the office network, end users must provide an MFA verification code when they connect to cloud computers in the office network from Alibaba Cloud Workspace terminals.
Enable MFA for an organization ID
In the left-side navigation pane, choose
.On the Security tab of the Logon Settings page, turn on MFA.
After MFA is enabled for an organization ID, end users must enter MFA verification code when they use the organization ID to log on to Alibaba Cloud Workspace terminals.
Delete a virtual MFA device
After you turn on the MFA switch in the EDS console, end users must associate virtual MFA devices to their accounts the first time they log on to Alibaba Cloud Workspace terminals. After end users change their virtual MFA devices, you must delete the original devices in the EDS console. After you delete virtual MFA devices, end users must associate new devices upon their next logon to Alibaba Cloud Workspace terminals.
Delete a virtual MFA device of a convenience user
In the left-side navigation pane, choose
.On the User tab of the Users & Organizations page, find the user that you want to manage, click the ⋮ icon in the Actions column, and then click Manage MFA Device.
In the Manage MFA Device dialog box, find the desired virtual MFA device and click Delete in the Actions column. Then, click OK.