AWS adds passkey support for better security, implements MFA for root users

AWS recently announced two new security features. First, passkeys can now be used for multi-factor authentication (MFA) for root and IAM users, providing additional security beyond just a username and password. Second, AWS now requires MFA for root users, starting with the root user account in an AWS organization. This requirement will be expanded to other accounts throughout the year.

AWS Principal Developer Advocate Sebastian Stormak discussed these MFA-related announcements in a blog post. Stormak said the passkey used in FIDO2 authentication is a pair of cryptographic keys created on your device when you sign up for a service or website. It consists of two linked cryptographic keys: a public key stored by the service provider and a private key stored securely on your device (like a security key) or synced across your device via services like iCloud Keychain, Google accounts, or password managers like 1Password.

As another part of the security-related announcement, Stormack noted that AWS is now implementing multi-factor authentication (MFA) for root users on certain accounts. The initiative, launched last year by Amazon Chief Security Officer Stephen Schmidt, aims to enhance the security of the most sensitive accounts.

AWS is rolling this out gradually, starting with a limited number of AWS Organization Management accounts and expanding to most accounts over time. Users who don't have MFA enabled on their root account will receive a prompt to enable it upon login, with a grace period before it becomes mandatory.

To enable passkey MFA, users will need to access the IAM section of the AWS console. After selecting the desired user, locate the MFA section and click “Assign MFA Device”. It is important to note that enabling multiple MFA devices for a user can improve account recovery options.

12024 05 23 14 34 47 1719730666867

Source: AWS adds passkey multi-factor authentication (MFA) for root and IAM users

Next, name the device and select “Passkey or security key.” If a password manager with passkey support is in use, it will offer to create and store a passkey. Otherwise, the browser will offer options (depending on the OS and browser). For example, on a macOS machine using a Chromium-based browser, a prompt to use Touch ID to create and store a passkey within iCloud Keychain is presented. The experience from this point forward varies depending on the user's selection.

12024 06 07 18 55 25 1719730666867

Source: AWS adds passkey multi-factor authentication (MFA) for root and IAM users

In a Reddit discussion about the announcement, one of the users noted a possible discrepancy: the release document mentions Identity Center over IAM, but the recently added Passkey support did not extend to Identity Center. The discussion in the thread further concluded that the release mainly added support for the FIDO2 Platform Authenticator (passkey) in addition to the existing support for the Roaming Authenticator (security key).

Passkeys for multi-factor authentication are currently available to AWS users in all regions except China. Additionally, enforcement of multi-factor authentication for root users is effective in all regions except two China regions (Beijing and Ningxia) and AWS GovCloud (US), as these regions operate without root users.

Leave a Comment

“The Untold Story: Yung Miami’s Response to Jimmy Butler’s Advances During an NBA Playoff Game” “Unveiling the Secrets: 15 Astonishing Facts About the PGA Championship”