Updated on 2024-11-15 GMT+08:00

Enabling 2FA

Two-factor authentication (2FA) requires users to provide verification codes before they log in. The codes will be sent to their mobile phones or email boxes. You have to choose an SMN topic for servers where 2FA is enabled. The topic specifies the recipients of login verification codes, and HSS will authenticate login users accordingly.

Prerequisites

  • You have created a message topic whose protocol is SMS or email.
  • Server protection has been enabled.
  • To enable 2FA, you need to disable the SELinux firewall.
  • On a Windows server, 2FA may conflict with G01 and 360 Guard (server edition). You are advised to stop them.

Constraints and Limitations

  • If 2FA is enabled, it can be used only in following scenarios:
    • Linux: The SSH password is used to log in to an ECS, and the OpenSSH version is earlier than 8.
    • Windows: The RDP file is used to log in to a Windows ECS.
  • When two-factor authentication is enabled for Windows ECSs, the User must change password at next logon function is not allowed. To use this function, disable two-factor authentication.

Enabling 2FA

  1. Log in to the management console.
  2. In the upper left corner of the page, select a region, click , and choose Security & Compliance > HSS.
  3. Choose Installation & Configuration > Server Install & Config and click Two-Factor Authentication.
  4. Select servers and click Enable 2FA above the list, or select a server and click Enable 2FA in the Operation column.

    Figure 1 Enable 2FA.

  5. In the displayed Enable 2FA dialog box, select an authentication mode.

    • SMS/Email

      You need to select an SMN topic for SMS and email verification.

      • The drop-down list displays only notification topics that have been confirmed.
      • If there is no topic, click View to create one. For details, see Creating a Topic.
      • During authentication, all the mobile numbers and email addresses specified in the topic will receive a verification SMS or email. You can delete mobile numbers and email addresses that do not need to receive verification messages.
      Figure 2 SMS/Email verification
    • Verification code

      Use the verification code you receive in real time for verification.

  6. Click OK. After 2FA is enabled, it takes about 5 minutes for the configuration to take effect.

    When you log in to a remote Windows server from another Windows server where 2FA is enabled, you need to manually add credentials on the latter. Otherwise, the login will fail.

    To add credentials, choose Start > Control Panel, and click User Accounts. Click Manage your credentials and then click Add a Windows credential. Add the username and password of the remote server that you want to access.