Enable MFA for an IAM user

Last updated:2020-07-19 00:07:28

This topic describes how to configure multi-factor authentication (MFA) for IAM users in the Kingsoft Cloud console to improve IAM user security.

Enable MFA for an IAM user

A Kingsoft Cloud account or an authorized IAM user can enable MFA for an IAM user. The procedure is as follows:

  1. Log in to the Kingsoft Cloud console (new version) with your Kingsoft Cloud account and password.

  2. Choose Product and Services > Monitor and Management > IAM. In the left navigation pane, choose Identities > Subusers. The Subusers page appears.

  3. On the Subusers page, click the name of an IAM user to go to the User details page. On the Safety management tab, the value of Operation Protection or Login Protection is Disabled in the MFA Device section.

  4. Click Edit Rule next to Console Logon Management. On the Edit Rule pane that appears, select Enable MFA in the Operation Protection or Login Protection section, as shown in the following figure.

image.png

After MFA is enabled, the IAM user will be prompted to bind a virtual MFA device at the next login. If login protection is enabled, the IAM user can log in to the Kingsoft Cloud console only after a virtual MFA device is bound. If operation protection is enabled, the IAM user can perform sensitive operations in the Kingsoft Cloud console only after a virtual MFA device is bound.

Bind a virtual MFA device to an IAM user

The procedure of binding a virtual MFA device consists of three steps.

image.png

  1. Prepare a virtual MFA device.
    Applications that can be used as MFA devices including Google Authenticator.

  2. Add your account and complete Time-based One-time Password (TOTP) verification.
    Scan the second QR code in the preceding figure with Google Authenticator. You can also manually enter the account and key.
    The application generates a new verification code every 30s. Enter two consecutive verification codes to activate the MFA feature for the IAM user.

  3. Complete the binding.
    After the verification, the MFA feature is activated for the IAM user. You are redirected to the homepage of IAM console.

Replace the MFA device or disable MFA for an IAM user

To unbind a virtual MFA device from an IAM user, go to the user details page and click Unbind MFA on the Safety management tab. In the dialog box that appears, click Continue. Complete security verification to unbind the virtual MFA device. Note that this operation simply unbinds the IAM user from the MFA device. Next time when the IAM user attempts to log in to the Kingsoft Cloud console, the IAM user will be still required to bind to an MFA device.

image.png

To disable MFA for an IAM user, go to the user details page, click Edit Rule next to Console Logon Management, and then disable login and operation protection. Complete security verification to disable MFA for the IAM user. This operation will not unbind the IAM user from the MFA device.

image.png

Delete the MFA token

Before you delete the MFA token on Kingsoft Cloud Authenticator or Google Authenticator, make sure that MFA has been disabled for your account. Otherwise, you cannot pass authentication at the next login.

Did you find the above information helpful?

Unhelpful
Mostly Unhelpful
A little helpful
Helpful
Very helpful

What might be the problems?

Insufficient
Outdated
Unclear or awkward
Redundant or clumsy
Lack of context for the complex system or functionality

More suggestions

0/200

Please give us your feedback.

Submitted

Thank you for your feedback.

问题反馈