Overview
What Is MFA Authentication?
MFA authentication provides an additional layer of protection on top of the username and password. If MFA authentication is enabled, you need to enter the username and password (first factor) as well as a verification code (second factor) when performing certain operations. These factors together keep your account and resources secure.
MFA authentication can also be enabled to verify a user's identity before the user is allowed to perform critical operations.
MFA Authentication Methods
MFA authentication can be performed through SMS, email, virtual MFA device, and security key.
- Virtual MFA: A virtual MFA device generates 6-digit verification codes based on the Time-based One-time Password Algorithm (TOTP). Software-based virtual MFA devices (authenticator apps) can run on mobile devices (such as smartphones) and are easy to use. After a virtual MFA device is added, users need to enter dynamic verification codes generated from MFA devices in addition to their credentials during login.
- Security key: A security key uses a password plus a hardware device for two-factor authentication to protect resources and privacy. Currently, Huawei Cloud supports security keys based on the fast identity online (FIDO) protocol and Windows Hello. After a FIDO-based hardware MFA device, such as Yubikey, is added, users need to insert the device and touch it to verify their identities in addition to entering their credentials during login. After a Windows Hello security key is added, users need to pass identity verification with their fingerprint, PIN, or facial information.
Application Scenarios
MFA authentication is suitable for login protection and critical operation protection. You can bind a virtual MFA device to an IAM user for login protection and operation protection. Security keys are used for login protection only. If MFA authentication is enabled, the setting takes effect for both the management console and REST APIs.
- Login protection: When you or an IAM user logs in to the console, you and the user need to enter a verification code in addition to the username and password.
- Operation protection: When you or an IAM under your account attempts to perform a critical operation, such as deleting an ECS resource, you and the user need to enter a verification code to proceed.
For more information about login protection and critical operation protection, see Critical Operation Protection.
Constraints
- An IAM user can have to only one virtual MFA device added.
- An IAM user can have a maximum of eight security keys added.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot