Help Center/ Identity and Access Management_Identity and Access Management (New Edition)/ User Guide/ Identity/ IAM Users/ Multi-Factor Authentication/ Overview
Updated on 2025-11-07 GMT+08:00
View PDF
Share

Overview

Multi-Factor Authentication

Multi-factor authentication (MFA) provides an additional layer of protection on top of the username and password. If you add an MFA device, users need to enter a verification code, insert a hardware device, or pass the identity verification with fingerprint, PIN, or facial information, in addition to the username and password when they are logging in to the management console.

MFA Device Types

IAM supports the following MFA types:

  • Virtual MFA: A virtual MFA device generates verification codes based on the Time-based One-time Password Algorithm (TOTP). IAM supports only software-based virtual MFA devices. The applications that implement TOTP are virtual MFA devices, which can run on mobile devices (such as mobile phones). After a virtual MFA device is added, users need to enter verification codes generated from virtual MFA devices in addition to their credentials during login.
  • Security key: A more secure authentication method that can replace passwords. Huawei Cloud supports security keys based on the FIDO2 authentication protocol. Once security keys are enabled, you can utilize fingerprints, facial recognition, or PIN from devices like computers and smartphones, along with FIDO2-compliant security key devices, to perform multi-factor authentication. For instance, once a security key (like Yubikey) supporting the FIDO2 protocol is activated, you must plug it into the computer and tap it for authentication. When using a Windows Hello security key, you will need to verify your identity with fingerprints, PIN, or facial recognition.

Application Scenarios

MFA authentication is mainly used for login protection. You can bind both virtual MFA devices and security keys to an account or IAM user. You can select either of them for authentication. You can add only one virtual MFA device and a maximum of eight security keys to each root user or IAM user.

Login protection: When you or an IAM user under your account logs in to the console, you or that user needs to perform MFA authentication in addition to entering the username and password. This can improve the account security.

Notes and Constraints

  • An IAM user can have only one virtual MFA device added.
  • An IAM user can have a maximum of eight security keys added.