百度智能云

All Product Document

          Identity and Access Management

          Two factor Authentication

          What is the Two Factor Authentication

          The Two Factor Authentication is an additional layer of security authentication in addition to the username and password, and it is used to ensure the security of the user who logs in and uses the resources of Baidu AI Cloud, and it is also commonly known as 2-Step Authentication or Multifactor Authentication.

          Mode of Two Factor Authentication

          Baidu AI Cloud supports two modes of multifactor authentication, namely SMS and virtual MFA.

          • SMS Verify the user's identity by sending time-limited SMS verification code to the secure mobile phone bound to the cloud account;
          • Virtual MFA: Verify the user's identity through the verification code generated by virtual MFA App bound to the cloud account, and such verification mode is higher than SMS verification in terms of security level, so you are recommended to enable such verification mode;

          If the user enables the above-mentioned two modes of multi-factor verification, it is OK to pass any of the verifications. In order to ensure the security of your cloud resources and funds, the master account and administrator are recommended to enable multi-factor verification for their own account, and also to enable the multi-factor verification for the IAM user.

          Protection Domain

          Currently, the Two Factor Authentication of Baidu AI Cloud supports the login and operation protection:

          • Login protection: If the login protection is enabled, the login cannot be successful until the identity is verified by SMS or MFA when you log in the account.
          • Operation protection: After the operation protection is enabled, the secondary verification of identity needs completing at first before the user performs any sensitive operations to ensure that the operation is made by the user himself. Currently, the operation protection only supports the mode of SMS verification;

          Enable the Two Factor Authentication

          Any user of Baidu AI Cloud can enable the Two Factor Authentication for himself; meanwhile, in order to ensure the security of the IAM user's access to the cloud resources, the master account and the IAM user of the administrator can enable the Two Factor Authentication for the IAM user.

          Enable the Two Factor Authentication for their own for login protection

          Prerequisite

          Have the account of Baidu AI Cloud: Master account or IAM user.

          Operation steps

          1.Log in the Baidu AI Cloud Console, or the user logs in the link and complete the login; 2.Move the mouse to the head portrait at the top right corner, and enter the User Center; 3.Click the button Setting after the field login Protection in the Security Information; 4.Click the option Enabled in the pop up, you can select 1 or 2 modes of Two Factor Authentication, and to select virtual MFA mode, you need to bind the virtual MFA App, and please refer to bind [Virtual MFA](#Bing Virtual MFA) for specific operations; 5.Click Confirmation to complete the setting;

          The administrator enables the Two Factor Authentication for the IAM user

          Prerequisite

          The login account is the master account, or the IAM user of the administrator.

          Operation steps

          1.Log in the Baidu AI Cloud Console, or the user logs in the link and complete the login; 2.Move the mouse to the top right corner, and click Identity and Access Management to enter the User Management > IAM user; 3.Click the selected IAM user name to enter the detail page of the IAM user; 4.Click the button Edit in Two Factor Authentication module; 5.You can choose to enable the Login Protection and Operation Protection for the IAM users, among which the Login Protection can choose to enable 1 or 2 modes of Two Factor Authentication, while the Operation Protection only supports the mode of SMS authentication.

          Note:

          1.If the IAM user is enabled the login protection, but the IAM user has not bound the phone number or bound the virtual MFA yet, the system automatically jumps to the page on which the phone number/virtual MFA is bound when the IAM user logs in the console the next time for the operation to bind the phone/virtual MFA. Please refer to the [Bind Virtual MFA](#Bind Virtual MFA); 2.If the administrator enables the operation protection for the IAM user and the IAM user binds the phone number, the system sends a message to the IAM user for verification when the account exception is detected or the sensitive operations are performed; 3.If the administrator disables the operation protection for the IAM user, no message is sent to the IAM user in case of account exception detected or sensitive operations performed.

          Disable the Two Factor Authentication

          For the operation method and path, please refer to [Enable Two Factor Authentication](#Enable Two Factor Authentication), set the login protection or operation protection that has been enabled already to disabled status.

          Bind the Virtual MFA

          The user needs to bind the virtual MFA before enabling the virtual MFA authentication. The administrator enables the MFA authentication for the IAM user, who shall bind the virtual MFA at first before the IAM user logs in the console next time.

          Operation steps

          1. Download the identity authenticator. You must install an MFA application on the smart device before you can proceed, and you are recommended to install Baidu AI Cloud APP or Google Authenticator.

            Note:

            • For ios version, search "Baidu AI Cloud" or "Google Authenticator" in the App Store for installation.
            • For the Google Authenticator of Android version, It relies on an external QR code to scan components, you also need to search and install "Bar-code Scanner" in the App Store. Therefore, the users of Android version are recommended to use "Baidu AI Cloud APP" or other identity authenticator you commonly used for installation.
          2. Bind MFA.

            • Select Baidu AI Cloud APP: Enter the page of console, click "Virtual MFA", and scan the QR code on the computer.
            • Select other identity authenticator: Click the icon of Scan on Identity Authenticator APP, and scan the QR code on the computer.

            After the scan is successful, the system adds users automatically, and App displays the account and key. Enter the page on which the dynamic password of Virtual MFA is displayed. The dynamic password is updated every 30 seconds.

            Note: If your account is shared by multiple persons, after you bind MFA successfully, other people who do not bind MFA cannot log in to the account. The solution is to have other people install the MFA application and scan the QR code on such page, or save the image of such QR code for others to scan later.

          3. Enter two consecutive sets of command to the page on the computer, and then click the button Confirm to Enable. The operation to bind the virtual MFA device is completed.

          Unbind the Virtual MFA

          To unbind the virtual MFA requires the authenticate the virtual MFA device that has been bound, and if you have deleted the installed virtual MFA App from your mobile phone by mistake, you need to submit a ticket to the background for unbinding.

          Previous
          User Management
          Next
          IAM User Operation