Amazon will require all privileged AWS (Amazon Web Services) accounts to use multi-factor authentication (MFA) for stronger protection against account hijacks leading to data breaches, starting in mid-2024.
Multi-factor authentication provides an extra layer of security to prevent unauthorized access, even if attackers steal an account’s credentials.
Amazon has been offering free MFA security keys for eligible AWS customers in the United States since 2021 and added more flexible MFA options on the platform in November 2022, allowing the registration of up to 8 MFA devices per account.
Not using MFA to protect cloud assets can result in unauthorized access, compromise of sensitive data stored in AWS services, loss of service availability due to malicious modification of settings or the deletion of essential resources, and more.
Amazon has decided that the most straightforward approach to mitigating these risks and decreasing the attack surface on AWS would be to enforce MFA, starting from the most critical category of users.
“Beginning in mid-2024, customers signing in to the AWS Management Console with the root user of an AWS Organizations management account will be required to enable MFA to proceed,” reads Amazon’s announcement.
“Customers who must enable MFA will be notified of the upcoming change through multiple channels, including a prompt when they sign in to the console.”
Amazon has also said that this requirement will be expanded to additional accounts and use-case scenarios as they release new features that will make MFA adoption and management at scale easier.
Finally, Amazon recommends that customers pick phishing-resistant MFA technologies like security keys, although MFA authentication apps also work.
Security keys conforming to the FIDO U2F or FIDO2/WebAuthn standards are inherently resistant to reverse proxy and man-in-the-middle attacks that are on the rise right now.
During authentication, the security key responds to server-sent challenges using its private key while also checking the website’s origin.
If there’s an origin mismatch, possibly from a reverse proxy attack, the key won’t sign the challenge, preventing the interception of valuable secrets.
For more information on MFA support on AWS and guidance on setting up protection for your account, check out Amazon’s user guide page.