Amazon Web Services (AWS) has introduced FIDO2 passkeys as a new method for multi-factor authentication (MFA) to enhance account security and usability.
Additionally, as announced last October, the internet company reminds us that ‘root’ AWS accounts must enable MFA by the end of July 2024.
Passkeys on AWS
FIDO2 passkeys are physical (hardware keys) or software-based authentication solutions that leverage public key cryptography (public + private pair) to sign a challenge sent by the server used for verifying the authentication attempt.
Unlike one-time passwords, passkeys are resistant to phishing and man-in-the-middle attacks, syncable, support multiple device and OS architectures, and provide strong authentication thanks to their (typically) unbreakable encryption.
Amazon says its implementation allows the flexibility of creating syncable software passkeys to add as an MFA method for AWS accounts, unlocking them through Apple Touch ID on the iPhone, Windows Hello on the laptop, and others.
The internet company says those vulnerable to phishing and social engineering attacks should consider using passkeys for accessing AWS consoles but notes that, ultimately, any form of MFA is better than nothing.
Amazon tells customers that when choosing MFA, it is important to consider the security model of the passkey providers, including how they handle access and recovery of the key vault.
Push for MFA adoption
Mandatory MFA usage will begin with standalone root account users starting in July 2024, with the rollout impacting a small number of customers initially and gradually expanding over several months to give users a grace period.
Initially, the requirement will only apply to root users, who have the highest level of access and can make significant changes to the AWS environment, as those are more susceptible to damaging attacks.
A pop-up alert will be displayed at sign-in to remind impacted account holders of the new requirement.
Root users of member accounts in AWS organizations and general user accounts will not be immediately required to activate an MFA step, though they’re strongly encouraged to do so for optimal security.
The MFA requirement is expected to be extended to other user categories, but plans on this will be shared later in the year.
Amazon says it has recently committed to enhancing MFA adoption by signing CISA’s Secure by Design pledge, so the company is actively working towards that goal.