Skip to main content
Protecting your OVHcloud account protects every service running under it. This guide covers the security measures available to you and how to enable them.

Two-factor authentication (2FA)

Two-factor authentication adds a second verification step when you log in. Even if your password is compromised, an attacker cannot access your account without also controlling your second factor. OVHcloud supports four 2FA methods:
  • SMS — a one-time code sent to your mobile number each time you log in.
  • Mobile app (TOTP) — an authenticator app (such as FreeOTP or OTP Auth) generates a time-based code. No internet connection is needed on the device once it is set up.
  • Security key (U2F) — a physical hardware key (for example, a YubiKey) plugged into a USB port. This offers the strongest protection as the key is independent from your computer and phone.
  • Backup codes — ten single-use codes generated when you first enable 2FA. These complement another active method and let you recover access if you lose your primary device.
Enabling 2FA on your OVHcloud account is a mandatory requirement for compliance with the HDS (Health Data Hosting) certification.

Enabling 2FA

1

Open account security settings

Click your name in the top-right corner of the Control Panel, select Access my account, then Security. You can also go directly to Account security.
2

Click 'Enable two-factor authentication'

Choose your preferred method — SMS, mobile app, or security key — and click Next.
3

Register your device

  • SMS: Enter your mobile number in international format (for example, +44712345678). A validation code is sent by SMS — enter it to confirm.
  • Mobile app: Scan the QR code shown in the Control Panel with your authenticator app. If your app does not support QR codes, click Show secret to enter the key manually. Enter the generated code to confirm.
  • Security key: Plug in your U2F key when prompted and press its button. Accept the browser pop-up if one appears.
4

Save your backup codes

After adding your first 2FA method, the Control Panel displays 10 single-use backup codes. Save these immediately in a secure location — for example, a password manager.
If you lose access to your 2FA device and do not have backup codes, recovering your account requires sending identity documents to OVHcloud support, which can take up to 72 hours. Keep your backup codes safe.
5

Add additional methods (optional)

You can register multiple 2FA methods on the same account. Adding a secondary method (for example, a security key in addition to SMS) ensures you always have a fallback.

Logging in with 2FA

After entering your password, the Control Panel shows the last 2FA method you used. To switch to a different method, click Try another method. To use a backup code, select that option and enter one of your saved codes.

If you lose a 2FA device

If a device is lost or stolen:
  1. Use your saved backup codes to log in.
  2. Go to Account security and remove the lost device from the list.
  3. Re-enable 2FA with a replacement device.
If you cannot log in at all (no backup codes, no alternative device), go to the Control Panel login page, enter your credentials, and at the 2FA step click I have lost access to my mobile phone, U2F security key or emergency codes. You will be asked to upload identity documents. OVHcloud will disable 2FA within 72 hours after verifying your documents.
Once access is restored, re-enable 2FA immediately to keep your account protected.

Restricting IP access to the Control Panel

You can limit Control Panel access to specific IP addresses. Combined with 2FA, this significantly reduces the risk of unauthorised access.
IP restrictions only secure access to the OVHcloud Control Panel. They do not protect the services themselves (for example, SSH access to a server). Secure each service individually.
1

Find your public IP addresses

You need the public IP address of each device you want to allow. Visit whatismyip.com from each device to retrieve it.
Most ISPs assign dynamic IP addresses that can change on reboot or every 24–48 hours. Confirm with your ISP whether your IP is static before enabling restrictions. Locking yourself out with a dynamic IP requires an administrative procedure to recover access.
2

Open account security settings

Go to Account security and find the IP access restriction section. Click Enable next to IP access restriction.
3

Add authorised IP addresses

Click Add a restriction, enter your public IP address, set the rule to Authorised, and click Confirm. Repeat this for every IP address you want to allow.
4

Set the default rule to Denied

Once all authorised IPs are added, change the Default rule to Denied and click Validate. From this point, only the IPs you listed can access the Control Panel.
Do not set the default rule to Denied before you have added at least one authorised IP address. Doing so will lock out all connections, including your own.
You can also use this feature in reverse — allow all IPs by default and explicitly block specific known-bad addresses.

Recognising phishing and fraudulent emails

Phishing emails impersonate OVHcloud to trick you into entering your credentials or payment details on a fake website. Never click a link in an email to log in to your account. Instead, open your browser and navigate to ovhcloud.com directly.

How to identify a genuine OVHcloud email

Check the following before acting on any email that appears to be from OVHcloud:
  • Sender domain — genuine OVHcloud emails come from addresses ending in @ovhcloud.com, @ovh.com, or other official OVHcloud domains (such as news.ovhcloud.com or services.kimsufi.com). Any other sender domain is suspicious.
  • Your NIC handle in the subject — legitimate OVHcloud emails typically include your NIC handle or primary email address in the subject line.
  • Hover over links before clicking — without clicking, move your cursor over any link or button in the email. The destination URL appears at the bottom of your browser. If it does not point to an official OVHcloud domain, do not click it.
  • Check your messages in the Control Panel — all official emails OVHcloud sends you are also visible at My messages in the Control Panel. If an email is not there, treat it with caution.

How to verify a suspicious URL

Read the URL from right to left. The real domain is the two parts immediately before the first /. For example:
  • https://www.ovhcloud.com/account/login — real domain is ovhcloud.com (legitimate)
  • https://ovhcloud.com.login-secure.xyz/account — real domain is login-secure.xyz (fraudulent)
Also watch for:
  • Lookalike characters — ovhcIoud.com (capital I instead of lowercase L), 0vhcloud.com (zero instead of O).
  • URL shorteners such as bit.ly or tinyurl.com — OVHcloud never uses these in official emails.
  • On mobile, long-press a link to preview the full URL before opening it.
  • Entered your OVHcloud password — go to Account security and change your password immediately. Then enable 2FA if you have not already done so.
  • Entered payment card details — contact your bank immediately to block the card and dispute any fraudulent transactions.

Reporting a phishing email

Save the email as a file (.eml or .msg format — do not forward it directly) and attach it to a new email sent to [email protected]. Forwarding without saving as a file strips the technical headers that OVHcloud needs to investigate the fraud.

Security best practices

  • Use a strong, unique password — at least 12 characters, mixing upper and lower case letters, numbers, and special characters. Do not reuse passwords across services.
  • Store credentials in a password manager — tools like KeePass or Bitwarden generate and store complex passwords securely.
  • Add a backup email address — set a different email address as a fallback on your profile. This helps you regain access if your primary email becomes unavailable.
  • Never share your account credentials — if you need to grant someone access to your services, use contacts management or local users with IAM policies instead.
  • Act quickly if you suspect compromise — if you receive a login notification you do not recognise, change your password and enable 2FA immediately. Then open a support request to inform OVHcloud.

Single Sign-On (SSO) integrations

If your organisation uses a centralised identity provider, you can connect it to your OVHcloud account using SAML 2.0. This lets users log in to the OVHcloud Control Panel through your existing identity infrastructure.
Link your on-premises Active Directory Federation Services deployment to OVHcloud using SAML 2.0. Users authenticate against your AD FS server and receive a SAML assertion that grants them access to the OVHcloud Control Panel.To configure this integration, go to Identity, Security & Operations > Users > SSO connection in the Control Panel. Once configured, manage federated user access with IAM policies.Requirements:
  • AD FS running on your server
  • An OVHcloud account with administrator rights
Use Google Workspace as the identity provider for your OVHcloud account. Members of your Google Workspace organisation can log in to the Control Panel without a separate OVHcloud password.Configure the integration under Identity, Security & Operations > Users > SSO connection. Once configured, manage federated user access with IAM policies.Requirements:
  • A Google Workspace account with administrator rights
  • An OVHcloud account with administrator rights
Integrate Microsoft Entra ID (formerly Azure Active Directory) with your OVHcloud account. Users sign in via their Microsoft credentials, and access is governed by your existing Azure AD groups and policies.Configure the integration under Identity, Security & Operations > Users > SSO connection. Once configured, manage federated user access with IAM policies.Requirements:
  • An Azure AD tenant with administrator access
  • An OVHcloud account with administrator rights
Connect Okta to your OVHcloud account so that members of your Okta organisation can access the Control Panel through Okta’s identity platform.Configure the integration under Identity, Security & Operations > Users > SSO connection. Once configured, manage federated user access with IAM policies.Requirements:
  • An Okta account with administrator rights
  • An OVHcloud account with administrator rights
When SSO is active, OVHcloud account passwords are bypassed for federated users. Ensure your identity provider enforces its own strong authentication policies, including MFA, for all users with access to the OVHcloud Control Panel.

Getting started with OVHcloud

Create your account, log in to the Control Panel, and manage your first service.

IAM and access control

Define granular access policies for local users and service accounts.

Managing your password

Best practices for choosing, storing, and rotating your OVHcloud account password.

OVHcloud Help Center

Open a support request or contact OVHcloud by phone or live chat.

Build docs developers (and LLMs) love

Get started for freeTalk to us