AWS Customers Can Now Order a Free MFA Security Key
As far as I’m concerned, basic user security starts with multifactor authentication (MFA). Yes, many developers disagree. For them, MFA is just one more annoying step in their developer pipeline. And, yes, MFA can be compromised. Boy, do I know MFA can be compromised. But it’s still so much safer than the alternative of relying simply on user IDs and passwords.
So when Amazon Web Services (AWS) Security began offering a free MFA security key to AWS account owners in the United States in 2021, I was happy. But it wasn’t that easy to actually get your hands on the key. Remember what I just said about programmers not being happy about spending time on MFA? Here it is again. But now, eligible AWS customers can order their free security key through the AWS Management Console’s ordering portal. That streamlines the ordering process, especially for linked accounts.
At this time, only US-based AWS account root users who have spent more than $100 each month over the past three months are eligible to place an order. I wish AWS would make this available to users outside the US. Come on, C.J Moses, AWS’s CISO, can’t we all get them?
Still, it’s a start.
AWS uses a FIDO2 physical key. FIDO2 is an open authentication standard and an extension of FIDO U2F, It’s made up of the W3C Web Authentication specification (WebAuthn API) and the Client to Authentication Protocol (CTAP), an application layer protocol. CTAP enables the communication between clients or platforms, like a browser or operating system, with an external authenticator.
You use them by plugging your FIDO2 security key into a USB port on your computer and enabling it. After that, you tap it when prompted to securely complete the sign-in process. You should note that if you already use a FIDO security key with other services, and it has an AWS-supported configuration, for example, the Yubikey 5 Series, you can also use it with AWS. When you enable a FIDO-compliant authenticator in AWS, the FIDO security key creates a new key pair for use with only AWS.
You can only use one such key per AWS account. You can, however, Moses wrote, use your AWS FIDO2 security key with other security keys–enabled applications, such as Dropbox, GitHub, and Gmail.
Lock It Down
Moses also recommends that as a best practice, “all your users should obtain and enable MFA. This can be done at the AWS Identity and Access Management (IAM) user level in the AWS identity system or upstream in your federated identity provider, since using federated identities is a best practice.”
So, don’t you think it’s time you get your free key and start locking down your AWS accounts? I do.