Help Center/ Identity and Access Management_Identity and Access Management (New Edition)/ User Guide/ Account Security Settings/ Login Authentication Policy
Updated on 2025-11-07 GMT+08:00
View PDF
Share

Login Authentication Policy

The Login Authentication Policy tab on the Security Settings page provides settings including Session Timeout, Account Lockout, Account Disabling, Recent Login Information, Custom Login Prompt, and Access Control.

Only the administrator can configure the login authentication policy, while IAM users cannot. If an IAM user needs to modify the policy settings, the user can request the administrator to perform the modification or grant the required permissions.

Session Timeout

Set the session timeout that will apply if you or users created using your account do not perform any operations within a specific period.

Figure 1 Session timeout policy

The timeout ranges from 15 minutes to 24 hours, and the default timeout is 15 minutes.

Account Lockout

Set a duration to lock users out if a specific number of unsuccessful login attempts has been reached within a certain period. You cannot unlock your own account or an IAM user's account. Wait until the lock time expires.

Figure 2 Account lockout policy

You can set the account lockout duration, maximum number of unsuccessful login attempts before the account is locked, and time for resetting the account lockout counter. If the maximum number of unsuccessful login attempts is exceeded within the specified period, the root user or IAM user will be locked for a specified period of time.

  • Account lockout duration: The value range is from 15 minutes to 24 hours, and the default value is 15.
  • Maximum number of unsuccessful login attempts: The value range is from 3 to 10, and the default value is 5.
  • Time for resetting the account lockout counter: The value range is from 15 to 60 minutes, and the default value is 15.

Account Disabling

Set a validity period to disable IAM users if they have not accessed Huawei Cloud using the console or APIs within a certain period.

This option is disabled by default. It can be enabled by the administrator. The validity period is from 1 day to 240 days.

If you enable this option, the setting will take effect only for IAM users created using your account. If an IAM user is disabled, the user can request the administrator to enable their account again.

Recent Login Information

Configure whether you want the system to display the previous login information after you log in. If incorrect login information is displayed on the Login Verification page, change your password immediately.

This option is disabled by default and can be enabled by the administrator.

Custom Login Prompt

Set custom information that will be displayed upon successful login. For example, enter the word Welcome.

No information is displayed by default, and the administrator can set custom information that will be displayed.

Figure 3 Custom login prompt

You and all the IAM users created using your account will see the same information upon successful login.

Figure 4 Login verification

Access Control

  • IP Address Ranges for Console Access
    Takes effect only for all IAM users under your account and federated users (SP-initiated) during console access. This setting does not take effect for the account itself.
    • You can set up to 200 IP address ranges and IP addresses/network segments in total.
    • You can set both IPv4 and IPv6 addresses.
    • If an IAM user accesses Huawei Cloud through a proxy server, set the allowed IP addresses, address ranges or CIDR blocks based on the proxy IP address. If an IAM user accesses Huawei Cloud through a public network, set them based on the public IP address.
    Figure 5 IP address ranges

    You can specify the IP address range to control access to Huawei Cloud. The IPv4 address range is from 0.0.0.0 to 255.255.255.255 and the default setting is 0.0.0.0-255.255.255.255. The IPv6 address range is from 0:0:0:0:0:0:0:0 to FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF and the default setting is 0:0:0:0:0:0:0:0-FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF. If you do not specify a range or use the default range, IAM users can access Huawei Cloud from any IP addresses.

  • IP CIDR Blocks for Console Access

    Takes effect only for all IAM users under your account and federated users (SP-initiated) during console access. This setting does not take effect for the account itself.

    Specify CIDR blocks to control access to Huawei Cloud. For example, set CIDR Block to 10.10.10.10/32.

    • You can set up to 200 IP address ranges and IP addresses/network segments in total.
    • You can set both IPv4 and IPv6 addresses.
    • If an IAM user accesses Huawei Cloud through a proxy server, set the allowed IP addresses, address ranges or CIDR blocks based on the proxy IP address. If an IAM user accesses Huawei Cloud through a public network, set them based on the public IP address.
    • If both IP Address Ranges and CIDR Blocks are set, access from either of them is allowed.