Amazon Web Services (AWS) is adding support for FIDO2 passkeys as a multi-factor authentication (MFA) option, as the cloud giant prepares to boost the security requirements around more user accounts.
Back in October last year, AWS said it would begin to require MFA for the most privileged users on an AWS account, starting with AWS Organizations management account root users.
Starting next month, root users of standalone accounts (by which AWS means those that aren’t managed with AWS Organizations) will be required to use MFA when signing in to the AWS Management Console.
This policy change will start with a small number of customers and increase over a period of months. Customers will have a grace period to allow them to upgrade to MFA, and they will be reminded about it at sign-in.
AWS said this change does not apply to the root users of member accounts in AWS Organizations. It said there will be more information about the MFA requirements for remaining root user use cases, such as member accounts, later in the year.
MFA can come in many forms but generally means going beyond the classic user-name-and-password combination which, it has turned out, is a pretty flimsy way of securing accounts online. That’s because passwords are too easy to crack or re-use across different services.
They’re easily shared, lost or stolen, all of which is why many data leaks and hacks often start with attackers being able to access systems with some form of legitimate but compromised credentials. Stolen credentials or leaked credentials has been seen as one of the biggest risks to cloud infrastructure.
As cloud security improves, attackers are finding that obtaining valid credentials is an easier route. According to research by IBM earlier this year, cloud account credentials make up 90% of the for-sale cloud assets on the dark web.
As AWS extends the need for customers to use MFA it is also giving them another option to choose from in the form of FIDO2 passkeys.
“When used as MFA, passkeys provide enhanced security for human authentication in a user-friendly manner. You can register and use passkeys today to enhance the security of your AWS console access,” said Arynn Crow, senior manager of user authentication products for AWS Identity.
“This will help you to adhere to AWS default MFA security requirements as those roll out to a larger group of customers starting in July.
“We strongly encourage you adopt some form of MFA anywhere you’re signing in today, and especially phishing-resistant MFA, which we’re excited to enhance with FIDO2 passkeys.”
Passkeys are already used widely to improve account security (you can already use them to secure your Amazon shopping account for example). Passkeys are FIDO2 credentials, which use public key cryptography to provide strong, phishing-resistant authentication, but can be backed up and synced across devices and operating systems rather than being stored on physical devices like a USB-based key.
Whether you want to use passkeys or something else, AWS said that any type of MFA is better than no MFA at all.
“MFA is one of the simplest but most effective security controls you can apply to your account, and everyone should be using some form of MF,” the firm said.
AWS points out that phishing and social engineering attacks that target users who use one-time codes for MFA, like the ones sent to your phone, have increased.
Because using this option means you need to read the number or code from the device and enter it manually, attackers can also try to get users to read the code out to them instead, thereby bypassing the value of MFA. Passkeys aren’t vulnerable to this.
AWS said that if your organization is already using another form of MFA like a non-syncable FIDO2 hardware security key or authenticator app, the question of whether or not you should migrate to syncable passkeys is dependent on your or your organizations’ uses and requirements.
“Because their credentials are bound only to the device that created them, FIDO2 security keys provide the highest level of security assurance for customers whose regulatory or security requirements demand the strongest forms of authentication, such as FIPS-certified devices,” the cloud giant said.
