Amazon has announced improved support for using FIDO2 security keys as a multi-factor authentication (MFA) device to log on to the Amazon Web Services (AWS) console.
FIDO2 security keys are a phishing-resistant standards-based passwordless authentication method and are typically USB-like devices, but they can also use Bluetooth or near-field communication (NFC).
FIDO2 security keys like the YubiKey are now supported on AWS GovCloud (US region) providing phishing-resistant MFA for all users.
"This new capability expands the existing MFA functionality by introducing additional options such as FIPS-validated security keys," AWS says.
"With this update, you also gain the flexibility to specify the registration of specific authenticators in your IAM policies, based on your preferred certification type and level," the company says.
"This gives you an additional mechanism to define what kinds of authenticators your users can register if you have specific security or compliance requirements."
Additionally, AWS has improved their support for device attestation in all regions including supportingIAM policies that can be used to enforce enrolment with FIPS-certified or FIDO Alliance-certified devices. TheYubiKey 5 FIPS series, which are both FIPS 140-2 validated and FIDO Level 2 certified, provide the highest level of security and compliance needs.
This news means that however you access the AWS console either via a root account, an IAM user, commercial or government cloud, a desktop or a supported mobile platform you can secure your access with an easy-to-use, phishing-resistant FIDO2 security key. AWS even supports enrolling a FIDO2 credential on behalf of another user for organisations that need extra control over their AWS console credentials.
"Customers can leverage any supported IAM MFA method, including FIDO security keys, to strengthen the security of their AWS accounts," AWS says.
"By doing so, customers can provide their users with the highest level of protection while ensuring that your organisation meets its usability, security, and compliance goals."
AWS Identity and Access Management features include:
- Set and manage guardrails and fine-grained access controls for your workforce and workloads.
- Manage identities across single AWS accounts or centrally connect identities to multiple AWS accounts.
- Grant temporary security credentials for workloads that access your AWS resources.
- Continually analyse access to right-size permissions on the journey to least privilege.
If you have a YubiKey and an AWS account in a standard AWS region, it is recommend registering an additional YubiKey today (accounts in standard regions support up to 8 MFA devices per user).
AWS GovCloud currently only supports a single MFA device per user, but support for multiple security keys is expected in the future as this is provided in standard AWS regions today.