Configure two-factor authentication

ARM hosts do not support two-factor authentication.

 

Perform this task to enable operators to log in to the system through certificate authentication, one-time passwords (OTPs), or verification codes. After you enable two-factor authentication, operators log in to the system with usernames, passwords, and PIN numbers, OTPs, or verification codes.

Restrictions and guidelines

To enable certificate authentication, make sure the uploaded root certificate is correct and the USB key can be used to log in to the system correctly.

To enable OTP authentication, make sure the uploaded agent configuration file is correct.

Procedure

1. On the top navigation bar, click Services.

2. From the left navigation pane, select Security > 2FA Authentication.

The current 2FA authentication settings are displayed.

3. Click Edit.

4. To enable 2FA, select Yes, and then select the authentication mode and configure the related parameters, and then click OK.

5. To clear the 2FA authentication settings and restore the disabling state, click Reset.

Parameters

• Enable 2FA: Enable two-factor authentication to configure the operators to log in to the system with usernames, passwords, and PIN numbers, OTPs, or verification codes.

• Authentication: Select the authentication mode. Options include Certificate Authentication, OTP, and Verification Code.

• If you enable certificate authentication, you must also configure the following parameters:

• Root Certificate: Select the root certificate used to verify the USB keys. The selected root certificate is automatically uploaded to the system. The root certificate file cannot exceed 5 MB.

• Update CRL: Enable the system to update the CRL regularly.

• URL: Enter the website address for filtering the CRL.

• Frequency: Select the CRL update frequency. Options include Monthly, Weekly, and Daily.

• Time: Specify the time when the CRL will be updated.

• If you enable OTP authentication, you must also configure the following parameters:

• OTP Vendor: Specify the OTP vendor. Options include FEITIAN and AISEC.

• Primary Authentication Agent Settings: Upload the authentication agent configuration file. This field is required only when the OTP vendor is FEITIAN. To download the configuration file, can access the FEITIAN Technologies OPT Server management center.

• Authentication Server Address: Specify the address of the authentication server. This field is required only when the OTP vendor is AISEC.