Overview

What Is Multi-Factor Authentication (MFA)?

MFA provides an additional layer of protection on top of the username and password. If MFA is enabled, you need to enter the username and password (first factor) as well as a verification code (second factor) when performing certain operations. These factors together keep your account and resources secure.

MFA can also be enabled to verify a user's identity before the user is allowed to perform critical operations. When a user attempts to perform a critical operation, the user needs to enter a verification code to proceed.

MFA Methods

MFA can be performed through SMS, email, and virtual MFA device.

Application Scenarios

MFA is suitable for login protection and critical operation protection. You can bind a virtual MFA device to an IAM user for login protection and operation protection. Security keys are used for login protection only. If MFA is enabled, the setting takes effect for both the management console and REST APIs.

• Login protection: When you or an IAM user logs in to the console, you and the user need to enter a verification code in addition to the username and password.
• Operation protection: When you or an IAM under your account attempts to perform a critical operation, such as deleting an ECS resource, you and the user need to enter a verification code to proceed.

For more information about login protection and critical operation protection, see Critical Operation Protection.

Constraints

• An IAM user can have only one virtual MFA device added.
• An IAM user can have a maximum of eight security keys added.