Help Center/ My Credentials/ User Guide/ My Credentials (New)/ MFA Devices
Updated on 2025-11-06 GMT+08:00
View PDF
Share

MFA Devices

Multi-Factor Authentication

Multi-factor authentication (MFA) provides an additional layer of protection on top of the username and password. If you add an MFA device, users need to enter a verification code, insert a hardware device, or pass the identity verification with fingerprint, PIN, or facial information, in addition to the username and password when they are logging in to the management console.

MFA Device Types

IAM supports the following MFA types:

  • Virtual MFA: A virtual MFA device generates verification codes based on the Time-based One-time Password Algorithm (TOTP). IAM supports only software-based virtual MFA devices. The applications that implement TOTP are virtual MFA devices, which can run on mobile devices (such as mobile phones). After a virtual MFA device is added, users need to enter verification codes generated from virtual MFA devices in addition to their credentials during login.
  • Security key: A more secure authentication method that can replace passwords. Huawei Cloud supports security keys based on the FIDO2 authentication protocol. Once security keys are enabled, you can utilize fingerprints, facial recognition, or PIN from devices like computers and smartphones, along with FIDO2-compliant security key devices, to perform multi-factor authentication. For instance, once a security key (like Yubikey) supporting the FIDO2 protocol is activated, you must plug it into the computer and tap it for authentication. When using a Windows Hello security key, you will need to verify your identity with fingerprints, PIN, or facial recognition.

Application Scenarios

MFA authentication is mainly used for login protection. You can bind both virtual MFA devices and security keys to an account or IAM user. You can select either of them for authentication. You can add only one virtual MFA device and a maximum of eight security keys to each root user or IAM user.

Login protection: When you or an IAM user under your account logs in to the console, you or that user needs to perform MFA authentication in addition to entering the username and password. This can improve the account security.

Notes and Constraints

  • An IAM user can have only one virtual MFA device added.
  • An IAM user can have a maximum of eight security keys added.

Adding a Virtual MFA Device

Before adding a virtual MFA device, you need to install an authenticator app (such as Google Authenticator and Microsoft Authenticator) on your mobile device.

After you add an MFA device for your Huawei Cloud account or IAM users, login protection is automatically enabled and the verification method is set to MFA verification. IAM users can add virtual MFA devices on the My Credentials page of the new console.

  1. Log in to the Huawei Cloud console, hover over the username in the upper right corner, and choose My Credentials from the drop-down list.

    Figure 1 Choosing My Credentials

  2. Click Go to New Console.

    Figure 2 Accessing My Credentials on the new console

  3. In the Multi-Factor Authentication (MFA) area, click Add MFA Device.
  4. Enter the device name. Only letters, digits, hyphens (-), and underscores (_) are allowed.
  5. Select an MFA device. Select Virtual MFA for Device Type and click Next.
  6. Add a virtual MFA device to your MFA application by scanning the QR code or entering the secret key.

    • Scanning the QR code

      Open the MFA application on your mobile phone, and use the application to scan the QR code displayed on the Add MFA Device page. Then, the MFA application automatically adds the virtual MFA device.

    • Entering the secret key

      Open the MFA application on your mobile phone, and enter the secret key.

      An MFA device can be manually added only using time-based one-time passwords (TOTP). You are advised to enable automatic time setting on your mobile device.

  7. View the dynamic codeson the home page of the MFA application. The codes are updated every 30 seconds.
  8. On the Add MFA Device page, enter two consecutive dynamic codes obtained from the virtual MFA device and click OK.

Removing a Virtual MFA Device

  1. In the Multi-Factor Authentication (MFA) area, locate the MFA device and click Unbind in the Operation column.
  2. In the displayed dialog box, enter YES.

    Figure 3 Confirming unbinding

  3. Click OK.

Binding a Security Key

  1. Log in to the Huawei Cloud console, hover over the username in the upper right corner, and choose My Credentials from the drop-down list.

    Figure 4 Choosing My Credentials

  2. Click Go to New Console.

    Figure 5 Accessing My Credentials on the new console

  3. In the Multi-Factor Authentication (MFA) area, click Add MFA Device.
  4. On the displayed page, enter a device name. Only letters, digits, hyphens (-), and underscores (_) are allowed.
  5. Select an MFA device. Select Security key for Device Type.
  6. Click Next.
  7. Select an authentication method for Windows Hello, such as PIN, face, or fingerprint.

    Figure 6 Setting up Windows Hello

    If your Windows device does not support enabling facial recognition and fingerprint, options such as Face and Fingerprint will not appear. FIDO2 will show you the options according to the authentication types supported by your device.

  8. Enter the PIN (or recognize the face or fingerprint). After the system authentication is successful, a dialog box is displayed, indicating that the binding is successful. Click OK. The security key will be displayed in the MFA device list.

    Figure 7 MFA device added

  9. To set up a FIDO2 security key, select Use another device in the dialog box and plug the security key into the USB port of your computer.

    Figure 8 Using another device

  10. In the displayed dialog box, select Security key and click Next.

    Figure 9 Selecting the security key

  11. Click OK to confirm the settings.

    Figure 10 Confirming the settings

  12. Click OK to install the security key.

    Figure 11 Installing the security key

  13. Enter the PIN of the security key and click OK.

    Figure 12 Entering the PIN

  14. Touch the security key.

    Figure 13 Touching the security key

  15. Click OK in the displayed dialog box indicating that the hardware MFA device is added. The security key will be displayed in the MFA device list.

    Figure 14 MFA device added

Unbinding a Security Key

You can unbind a security key on the console as an IAM user or using your account.

  1. In the Multi-Factor Authentication (MFA) area, locate the target security key and click Unbind in the Operation column.
  2. In the displayed dialog box, enter YES.

    Figure 15 Confirming unbinding

  3. Click OK.
Parent topic: My Credentials (New)