- About
- Basic Features
- Introduction
- Platform Tenant Management
- Platform User Management
- TOTP Certification
- Basic Data Definition
- Media Management
- Command Management
- Mail Server Configuration
- Job Center
- Platform Host Resource Pool
- Platform Database Pool
- Platform Proxy Nodes Management
- Platform Components Management
- Additional Information Management
- Operation Log
- Connection Concurrency Configuration
- Customization of Platform Styles
- Parameter Templates
- License
- Monitor Large Screen
- Overview Display
- Tenant User Management
- Tenant Host Resource Pool
- Tenant Proxy Nodes Management
- Menu Management
- Report Center
- MogDB/openGauss
- Backup Recovery Center
- Monitoring
- Alert Center
- Inspect Center
TOTP Certification
Function Entrance
Left-hand navigation menu User Management --> Security Settings
Function Description
In addition to user password authentication when logging in to zCloud, TOTP (Time-based One-Time Password) authentication is also supported to enhance user login authentication and improve account security.
Operating Instructions
TOTP Meaning
-
TOTP (Time-based One-Time Password Algorithm) is an algorithm that takes a timestamp and a pre-shared secret key as inputs to generate a one-time password for authentication against the server, verifying the user's identity. Due to the strong security and unpredictability of the TOTP algorithm, it can effectively protect user account security.
TOTP authenticators typically generate a new password every 30 or 60 seconds, meaning the verification code refreshes every 30 or 60 seconds and becomes invalid after expiration. This requires clients and servers to maintain very accurate clocks for the dynamically calculated passwords based on time to match.
-
It can work even without an internet connection:
To use TOTP technology, there is no need for a valid internet connection on a smartphone or physical keys. TOTP tokens only need to obtain the shared secret key value once. Therefore, the security system and TOTP generator can produce continuous password values without communication. Thus, even if the computer is turned off, the time-based one-time password (TOTP) will continue to operate.
Enable/Disable TOTP
-
The platform administrator spadmin logs in to zCloud;
-
Go to User Management --> Security Settings;
-
Click the switch to enable/disable TOTP authentication.
When enabled, all users (except those on the whitelist) are required to use TOTP for secondary verification when logging in to zCloud;
When disabled, all users do not need TOTP authentication to log in to zCloud;
Enabling or disabling TOTP authentication does not require restarting the server. After re-enabling, users can use their previously bound TOTP for secondary verification without needing to re-bind.
Set TOTP Whitelist
If you want some users to not enable TOTP two-factor authentication, you can set up a whitelist;
-
The platform administrator spadmin logs in to zCloud;
-
Set up the TOTP whitelist (after enabling TOTP authentication, the platform administrator is default on the whitelist);
-
Click [Create Whitelist] to move users who do not need to enable TOTP into the whitelist;
-
Click Delete to remove users from the whitelist.
-
If the platform administrator is removed from the whitelist and later unable to use a mobile phone or authentication device to verify TOTP to log in to zCloud, they can only contact Yunhe Enmo engineers for assistance.
Bind TOTP
Accounts that have not bound TOTP need to perform TOTP two-factor authentication when first entering zCloud.
-
Users log in to zCloud;
-
The system prompts users to download and install an authentication app on their mobile phone: Alibaba Cloud APP;
-
Scan the QR code to bind;
When the mouse moves over the icon, it提示s: Scan the QR code in the Alibaba Cloud APP to add
Click the help icon to display a popup window "Help Document."
-
Users use the installed authentication app: Alibaba Cloud APP top right corner's MFA to scan the QR code;
-
The authentication app saves the account, key, and generates a 6-digit dynamic verification code that updates every 30 seconds;
-
Users enter the 6-digit dynamic verification code generated by the authentication app in zCloud;
-
zCloud verifies whether the dynamic verification code entered by the user matches the verification code generated by the server; if the verification does not match, please ensure that the mobile phone system time is consistent with the zCloud system time;
-
If the QR code cannot be scanned: display the text key, users can enter the email to send the text key to the email, and manually add the account and key.
-
After binding is successful, click [Enter zCloud].
Use TOTP Authentication to Enter zCloud
User accounts that have bound TOTP and are not on the whitelist, and TOTP has been enabled.
-
Users log in to zCloud;
-
Users open the Alibaba Cloud APP to view the generated 6-digit dynamic verification code, which updates every 30 seconds;
-
Users enter the 6-digit dynamic verification code in zCloud;
-
zCloud verifies whether the dynamic verification code entered by the user matches the verification code generated by the server; if the verification does not match, please ensure that the mobile phone system time is consistent with the zCloud system time;
Click the help icon to view the help document.
-
If the mobile phone cannot be used, and the TOTP authentication device cannot be used, please contact the administrator for unbinding.
Unbind TOTP
User's zCloud account has been bound to TOTP and supports unbinding.
-
Contact the tenant administrator or platform administrator to unbind the current account's TOTP;
-
The tenant administrator or platform administrator enters User Management to unbind the corresponding account's TOTP and displays the TOTP binding status of the corresponding user;
Click More --> Unbind TOTP.
-
Unbinding is successful, and the TOTP binding status is displayed as not bound.