Updated on 2022-08-18 GMT+08:00

Virtual MFA Device

This section describes how to bind and unbind a virtual MFA device. If the bound virtual MFA device of an IAM user is deleted or the mobile phone on which it runs is unavailable, you can remove the virtual MFA device for the IAM user.

What Is a Virtual MFA Device?

An MFA device generates 6-digit verification codes in compliance with the Time-based One-time Password Algorithm (TOTP) standard. MFA devices can be hardware- or software-based. Currently, software-based virtual MFA devices are supported. They are application programs running on smart devices such as mobile phones.

Binding a Virtual MFA Device

Before binding a virtual MFA device, ensure that you have installed an MFA application on your mobile device.

  1. On the IAM console, choose Account Security Settings in the navigation pane.
  2. Click the Account Settings tab, and then click Bind next to Virtual MFA Device.
  3. Set up the MFA application by scanning the QR code or entering the secret key.

    • Scan the QR code

      Open the MFA application on your mobile phone, and use the application to scan the QR code on the displayed page. Your account and secret key are then added to the application.

    • Enter the secret key

      Open the MFA application on your mobile phone, and enter the secret key.

    • The secret key is a one-time credential that you can use to obtain an MFA verification code. To ensure account security, do not share the secret key with anyone.
    • To ensure that you can perform MFA-based verification successfully, confirm that you have enabled the automatic time setup option on your mobile phone.

  4. View the verification code on the MFA application. The code is automatically updated every 30 seconds.
  5. On the Bind Virtual MFA Device page, enter two consecutive verification codes and click OK to bind the virtual MFA device.

Obtaining an MFA Verification Code

If virtual MFA–based login protection or operation protection is enabled, you need to enter an MFA verification code when you log in to the console or performing a critical operation.

Open the MFA application on your smart device, view the verification code displayed next to your account, and then enter the code on the console.

Unbinding a Virtual MFA Device

You can unbind the virtual MFA device as long as the mobile phone bound to the virtual MFA device is available and the virtual MFA device is still installed on your phone.

  1. On the IAM console, choose Account Security Settings in the navigation pane.
  2. Click the Account Settings tab, and then click Unbind next to Virtual MFA Device.
  3. Enter a verification code generated by the MFA application.
  4. Click OK.

Removing the Virtual MFA Device

If the mobile phone of an IAM user is unavailable or the virtual MFA device has been deleted from the user's phone, as an administrator, you can remove the virtual MFA device by performing the following procedure:

  1. Log in to the IAM console.
  2. On the Users page, click Security Settings in the row containing the user for whom you want to remove the bound virtual MFA device.
  3. On the Security Settings tab page, click Remove in the Virtual MFA Device row.

    Figure 1 Removing the virtual MFA device for an IAM user

  4. Click Yes.