Help Center/ Cloud Bastion Host/ User Guide/ Authentication Configuration/ Configuring Multifactor Verification/ Configuring Mobile OTP Login Verification

Updated on 2025-09-29 GMT+08:00

View PDF

Configuring Mobile OTP Login Verification

A mobile OTP is a mobile application that can generate a dynamic password for identity verification.

In mobile OTP verification method, both your static login password and a 6-digit one-time password are required for login.

After mobile OTP authentication, the bastion host can be used in a non-public network environment as long as the bastion host time is the same as the mobile phone time.

If you want to enable MFA for the admin account, you need to configure the mobile phone token first, or the admin account cannot log in to the system in MFA mode.

If the mobile OTP expires and the login fails, reset the login method for user admin. For details, see Resetting Login Method for User admin.

Currently, built-in mobile OTPs and Remote Authentication Dial In User Service (RADIUS) mobile OTPs are supported.

Built-in mobile OTPs support Time-based One-Time Password (TOTP). You need to bind a mobile OTP to a user in the Profile module in your bastion host system. You can bind a mobile OTP through a WeChat applet or other similar programs, such as Google Authenticator and FreeOTP Authenticator, that support TOTP.
RADIUS mobile OTPs also support TOTP. You need to connect to the RADIUS server you have created and bind the mobile OTP on the RADIUS server. You can bind the mobile OTP through a WeChat applet or similar programs, such as Google Authenticator and FreeOTP Authenticator, that support TOTP.

Constraints

Ensure that your bastion host and mobile phone have the same system time, accurate to the seconds. Otherwise, the system may prompt that the mobile OTP fails to be bound.

Synchronize the bastion host system time to the mobile phone time. Refresh the page, scan the new QR code, and try again.

Step 1: Configure the Mobile OTP Type

Log in to your bastion host.
Choose System > System Config > Security.
In the Mobile Token Settings area, click Edit.

In the displayed Mobile Token Settings dialog box, select a mobile OTP type.

You can select Built-in or RADIUS. If you select RADIUS, the parameters are described as follows:

**Table 1** RADIUS mobile OTP parameters
Parameter	Description
Server	Enter the IP address of the RADIUS server.
Port	Enter the port number of the RADIUS server.
Protocol	The options are PAP and CHAP.
Password	Enter the shared key for RADIUS server authentication.
Timeout	Configure an authentication timeout. The value ranges from 5 to 30, in seconds. A maximum of three authentication attempts are allowed, and each attempt must be within the configured authentication timeout.

Click OK. You can then check the mobile token settings of the current system user on the Security tab.

Step 2: Bind a Mobile OTP as a Common User

Built-in Mobile OTP

Log in to your bastion host using your static password.
On the Dashboard page, click the user name in the upper right corner and choose Profile.
On the displayed Profile page, click the Mobile OTP tab.

On the displayed page, follow the instructions to bind a mobile OTP.

If you do not have the WeChat app, use the Google verification code program to scan the second QR code.
(Optional) To unbind the mobile OTP, click Unbind on the Mobile OTP tab.

RADIUS Mobile OTP

Create a user on the RADIUS server and bind a mobile OTP for the user as prompted.

Step 3: Enable Mobile OTP Authentication for a User as the Administrator

Built-in Mobile OTP

Log in to your bastion host as the administrator.
Choose User > User to go to the User management page.
Select a user having mobile OTP bound and click its LoginName.
In the User Setting area, click Edit.
In the displayed Edit user settings dialog box, select Mobile OTP for Multifactor Verification.
Click OK.

The next time the user logs in to the system, they will have to provide a mobile OTP.

RADIUS Mobile OTP

Create a user in the bastion host system. The login name of the user must be the same as that of the user created on the RADIUS server in 1.

Log in to your bastion host as the administrator.
Choose User > User to go to the User management page.

Click New. In the displayed New User dialog box, complete required parameters.

**Table 2** Parameters for creating a user
Parameter	Description
LoginName	The login name must be the same as the name of the user created on the RADIUS server. The LoginName must be unique in a system and cannot be changed once created.
Authentication Type	Select Local. Local: The user is verified against the account management system of the bastion host. This method is the default method.
Password/Confirm Password	You need to specify a custom password for logging in to the system.
UserName	User-defined username. This name indicates the name of the person who uses the account so that system users can be distinguished from each other.
Mobile	Enter the mobile phone number. This number is used for SMS authentication logins and password resetting.
Email	Enter an email address. The bastion host sends notifications to this email address.
Role	Specifies the role to be assigned to the user. Only one role can be assigned. By default, system roles include DepartmentManager, PolicyManager, AuditManager, and User. DepartmentManager: responsible for managing departments. Except the User and Role modules, this role has the configuration permissions for all other modules. PolicyManager: responsible for configuring policy permissions. This role has the configuration permissions for the User Group, Account Group, and ACL Rules modules. AuditManager: responsible for auditing system and maintenance data. This role has the configuration permission for Live Session, History Session, and System Log modules. User: common system users and resource operators. This role has the permissions for the Host Operations, App Operations, and Ticket approval modules. User-defined role: Only the admin user can customize a new role or edit permissions of a default role.
Department	Select the department that the user belongs to. For details about how to create a department, see Creating a Department.
Remarks	Brief description of the user.

Click OK.
On the User page, you can view the created user.

Configure mobile OTP authentication for the same user in the bastion host system.
1. Go to the User page.
2. Select the same user and click its LoginName.
3. In the User Setting area, click Edit.
4. In the displayed Edit user settings dialog box, select Mobile OTP for Multifactor Verification.
5. Click OK.
  The next time the same user logs in to the system, they will have to provide a mobile OTP.

Parent topic: Configuring Multifactor Verification

Previous topic: Configuring SMS Login Verification

Next topic: Configuring USB Key Login Verification

Feedback

Was this page helpful?

Helpful Not helpful

Provide feedback

Thank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.

The system is busy. Please try again later.

Which of the following issues have you encountered?

Content is inconsistent with the product UI

Unclear descriptions

Lack of examples or code

Incorrect steps

Can't find what I need

Lack of best practices

Feedback (optional)

0/500

Select at least one type of issue, and enter your comments or suggestions.

Enter a maximum of 500 characters.

Submit Cancel

For any further questions, feel free to contact us through the chatbot.

Chatbot