Amazon Web Services (AWS) has introduced FIDO2 passkeys as a new method for multi-factor authentication (MFA) to enhance account security and usability.
Additionally, as announced last October, the internet company reminds us that 'root' AWS accounts must enable MFA by the end of July 2024.
Passkeys on AWS
FIDO2 passkeys are physical (hardware keys) or software-based authentication solutions that leverage public key cryptography (public + private pair) to sign a challenge sent by the server used for verifying the authentication attempt.
Unlike one-time passwords, passkeys are resistant to phishing and man-in-the-middle attacks, syncable, support multiple device and OS architectures, and provide strong authentication thanks to their (typically) unbreakable encryption.
Amazon says its implementation allows the flexibility of creating syncable software passkeys to add as an MFA method for AWS accounts, unlocking them through Apple Touch ID on the iPhone, Windows Hello on the laptop, and others.
The internet company says those vulnerable to phishing and social engineering attacks should consider using passkeys for accessing AWS consoles but notes that, ultimately, any form of MFA is better than nothing.
Amazon tells customers that when choosing MFA, it is important to consider the security model of the passkey providers, including how they handle access and recovery of the key vault.
Push for MFA adoption
Mandatory MFA usage will begin with standalone root account users starting in July 2024, with the rollout impacting a small number of customers initially and gradually expanding over several months to give users a grace period.
Initially, the requirement will only apply to root users, who have the highest level of access and can make significant changes to the AWS environment, as those are more susceptible to damaging attacks.
A pop-up alert will be displayed at sign-in to remind impacted account holders of the new requirement.
Root users of member accounts in AWS organizations and general user accounts will not be immediately required to activate an MFA step, though they're strongly encouraged to do so for optimal security.
The MFA requirement is expected to be extended to other user categories, but plans on this will be shared later in the year.
Amazon says it has recently committed to enhancing MFA adoption by signing CISA's Secure by Design pledge, so the company is actively working towards that goal.
Comments
johnlsenchak - 3 weeks ago
I real like FIDO pass keys, they work well using Chrome 64 browser.
Lefty4444 - 3 weeks ago
A good step, but awfully late, it's 2024 with MFA requirement for root... Every time I hear "we are security first company" I want to punch the suit that came up with this in his greedy face.
Look at Snowflake, GitHub, Slack and everyone else at sso.tax that is overcharging for basic security. Or make it too hard to implement for many customers.
1. Enforce MFA for all admins from day 1!
2. Stop forcing customers into Enterprise license tiers for basic security functionality, such as MFA policies and SSO!
Wannabetech1 - 3 weeks ago
If a hardware key is used, MFA isn't necessary, is it?
powerspork - 3 weeks ago
A hardware key is MFA: it is something you have (the key) and something you know (the PIN).
Khimaja - 2 weeks ago
While it's a positive move to see a focus on security, it's disappointing that it's taken until 2024 to enforce MFA for root access. Hearing companies boast about being 'security-first' only to implement such crucial measures so belatedly is exasperating.
Consider the examples set by industry leaders like Snowflake, GitHub, and Slack, who have seamlessly integrated MFA and SSO without burdening customers with excessive costs or complexity.
Here are two pragmatic steps to consider:
From day one, mandate MFA for all administrative accounts.
Avoid the practice of reserving basic security functionalities like MFA policies and SSO for enterprise-tier licenses, which unfairly limits access for smaller clients.
It's high time we prioritize proactive security strategies rather than reacting when the damage has already been done."