AWS has added support for FIDO2 passkeys, a password-less authentication method under the Fast Identity Online (FIDO) framework, for multifactor authentication – and will soon make MFA mandatory for logging into AWS accounts.
“Starting in July 2024, root users of private accounts – those not managed by AWS Organizations – will be required to use MFA when signing in to the AWS Management Console,” Arynn Crow, senior product manager for user authentication at AWS, said at the company’s re:Inforce event on Tuesday. “As with the management accounts, this change will start with a small number of customers and gradually increase over the months,” he said.
AWS will allow customers a grace period to enable MFA that will be displayed as a reminder at login.
AWS will enforce the use of MFA by the end of the year
Currently, and as the first leg of its MFA implementation plan, AWS limits MFA only to root users of the AWS Organizations ‘management account’, a policy-based account management service that groups multiple AWS accounts into ‘ organization’, when they sign. in the AWS console.
It was in October 2023 that it first announced the upcoming expansion of MFA’s authority to use private AWS root users, promising features that “will make MFA even easier to deploy and manage at scale”.
The changes do not apply – yet – to ‘member accounts’ of AWS Organizations, Crow said on Tuesday. Member accounts are accounts other than an administrative account used to create and manage an “organization”.
AWS has plans to introduce additional features later this year to help customers manage MFA for large numbers of users, such as AWS Organization member accounts.
Passkeys to ensure resistance to phishing
To ease the pain of using a second authentication factor to log in, Crow said AWS will support the use of FIDO2 passkeys.
These are more secure than one-time passwords or password-based MFA methods, according to Crow.
Passkeys are considered anti-phishing as they are based on public key encryption. After a user creates a login key through a site or application, a public key pair is generated on the user’s device. Although the public key is accessible through a site or application, it is useless in the hands of a threat actor without the private key.
Using a passkey to sign in is usually automatic, requires no typing or logging in, and is very secure in nature. This is because passkeys do not include additional steps or codes that may be easy to steal, cheat, or block if mishandled.
Synchronized passkeys, an implementation of the FIDO2 standard, allow passkeys to be shared across devices and operating systems once created on a device. This is better since it will allow passkeys to be backed up and synced across devices, as opposed to being stored on a portable device like a USB-based key, Crow explained.
“Customers already use passkeys on billions of computers and mobile devices around the world, using only a security method such as a fingerprint, face scan, or PIN built into their device,” added Crow. “For example, you can set up Apple Touch ID on your iPhone or Windows Hello on your laptop as your authenticator, and then use that passkey as your MFA method as you sign in to the AWS console on all the other multiple devices you have.”
Source link