Advertisment

AWS Expands MFA Requirements, Boosting Security and Usability with Passkeys

In this announcement, AWS emphasizes its commitment to providing a secure environment for customers by introducing support for FIDO2 passkeys as a method for multi-factor authentication (MFA).

author-image
PCQ Bureau
New Update
image

AWS

Amazon Web Services (AWS) aims to be the most secure environment for customers to run their workloads. From the beginning, they've implemented secure-by-design and safe by-default practices in the cloud. Today, they're further enhancing their customers' strong authentication options by introducing support for FIDO2 passkeys as a method for multi-factor authentication (MFA) while expanding our MFA capabilities. Passkeys provide a highly secure and user-friendly option for many of their customers to enable MFA.

Advertisment

New MFA Requirements for AWS Root Users Starting July 2024

In October 2023, they announced that MFA would become mandatory for the most privileged users in an AWS account, starting with AWS Organizations management account root users and then expanding to other use cases. Beginning in July 2024, root users of standalone accounts (those not managed with AWS Organizations) will be required to use MFA when signing in to the AWS Management Console. This change will initially affect a small number of customers and will gradually extend over several months. Customers will receive a grace period to enable MFA, with reminders displayed at sign-in. This requirement does not apply to root users of member accounts within AWS Organizations. They will provide more details about MFA requirements for other root user use cases, such as member accounts, later in 2024 as we introduce additional features to help manage MFA for a larger number of users at scale.

As they prepare to expand this program in the coming months, they are now introducing support for FIDO2 passkeys as an MFA method to help customers meet their MFA requirements and enhance their default security posture. Customers already use passkeys on billions of computers and mobile devices worldwide, utilizing security mechanisms like fingerprints, facial scans, or PINs built into their devices. For instance, you can configure Apple Touch ID on your iPhone or Windows Hello on your laptop as your authenticator, then use that same passkey as your MFA method when signing in to the AWS console on multiple devices.

Advertisment

There has been a lot of discussion about passkeys in the industry over the past year, so in this blog post, They’ll address some common questions about passkeys and share reflections about how they can fit into your security strategy.

What are passkeys, anyway?

Passkeys are a new name for a familiar technology: Passkeys are FIDO2 credentials, which use public key cryptography to provide strong, phishing-resistant authentication. Syncable passkeys are an evolution of FIDO2 implementation by credential providers—such as Apple, 1Password, Google, Dashlane, Microsoft, and others—that enable FIDO keys to be backed up and synced across devices and operating systems rather than being stored on physical devices like a USB-based key.

Advertisment

These changes are substantial enhancements for customers who prioritize usability and account recovery, but the changes require no modifications to the specifications that make up FIDO2. Passkeys possess the same fundamental cryptographically secure, phishing-resistant properties FIDO2 has had from the start. As a member company of the FIDO Alliance, they continue to work with FIDO to support the evolution and growth of strong authentication technologies and are excited to enable this new experience for FIDO technology that provides a good balance between usability and strong security.

Who should use passkeys?

Before describing who should use passkeys, they emphasize that any type of MFA is better than no MFA at all. MFA is one of the simplest but most effective security controls you can apply to your account, and everyone should be using some form of MFA. Still, it’s useful to understand some of the key differences between types of MFA when making a decision about what to use personally or to deploy at your company.

Advertisment

They recommend phishing-resistant forms of MFA, such as passkeys and other FIDO2 authenticators. In recent years, as credential-based exploits increased, so did phishing and social engineering exploits that target users who utilize one-time PINs (OTPs) for MFA. As an example, a user of an OTP device must read the PIN from the device and enter it manually, so bad actors could attempt to get unsuspecting users to read the OTP to them instead, thereby bypassing the value of MFA. Although passkeys are a clear improvement above password-only authentication, like any kind of MFA, in many cases passkeys are both more user friendly and also more secure than OTP-based MFA. This is why passkeys are such an important tool in the Secure by Design strategy: Usable security is essential to effective security. For this reason, passkeys are a great option to balance user experience and security for most people. It’s not always easy to find security mechanisms that are both more secure and yet easier to use, but compared to OTP-based MFA, passkeys are one of those nice exceptions.

If you’re already using another form of MFA like a non-syncable FIDO2 hardware security key or authenticator app, the question of whether or not you should migrate to syncable passkeys is dependent on your or your organizations’ uses and requirements. Because their credentials are bound only to the device that created them, FIDO2 security keys provide the highest level of security assurance for customers whose regulatory or security requirements demand the strongest forms of authentication, such as FIPS-certified devices. It’s also important to understand that the passkey providers’ security model, such as what requirements the provider places for accessing or recovering access to the key vault, are now important considerations in your overall security model when you decide what kinds of MFA to deploy or to use going forward.

Increasing the use of MFA

Advertisment

At the RSA Conference last month, they decided to sign on to the Cybersecurity and Infrastructure Security Agency’s (CISA’s) Secure by Design pledge, a voluntary pledge for enterprise software products and services, in line with CISA’s Secure by Design principles. One key element of the pledge is to increase the use of MFA, one of the simplest and most effective ways to enhance account security.

When used as MFA, passkeys provide enhanced security for human authentication in a user-friendly manner. You can register and use passkeys today to enhance the security of your AWS console access. This will help you to adhere to AWS default MFA security requirements as those roll out to a larger group of customers starting in July. We’ll cover more about our status and progress regarding other elements of the Secure by Design pledge in subsequent communications. Meanwhile, we strongly encourage you adopt some form of MFA anywhere you’re signing in today, and especially phishing-resistant MFA, which we’re excited to enhance with FIDO2 passkeys. 

Advertisment

Stay connected with us through our social media channels for the latest updates and news!

Follow us: