A while ago, AWS introduced support for using a Yubikey, or other U2F compliant devices, as an added security measure to protect your local IAM or root account.
Logging in to a service or application, AWS console in this case, requires a username and a password. To get things more secure, MFA (multi-factor authentication) is typically enabled on the account. This requires you to provide the TOTP (Time-based One-time Password) from the hardware or virtual device in addition to your username and password when logging in.
I'm already using MFA, why should I care?
While providing good added protection against username/password leaks, classic TOTP-based 2FA implementations still possess one major attack vector, phishing. After all, TOTP is still just a password that must be entered to a field for verification and this is the vector exposed to an attack.
FIDO U2F to the rescue
U2F, or Universal 2nd Factor is an open authentication standard, able to tackle the previously mentioned problems in TOTP based MFA implementations. U2F uses USB (or NFC, but those are not supported here) based devices to provide the 2nd factor of authentication by exposing the hardware directly with the requesting application to exercise a challenge-response authentication.
How to start using it
Luckily, taking a U2F device in to use with AWS is really easy.
- Fire up your AWS console
- Go to IAM and open up the user you wish to associate the device with
- Under Security Credentials you can Manage your Assigned MFA device
- Following the on-screen instructions, you're set in no time (check the thumbnails)
For more detailed information, visit AWS's Enabling a U2F Security Key (Console) documentation.
Currently U2F based MFA is only working on the AWS web-based console, due to the nature of U2F which requires using browser to interact with the device. Also, it's noteworthy that U2F might not work on all browsers or the support for U2F might not be enabled by default.
This doesn't, however, mean that you can't use AWS CLI when U2F based MFA is enabled. It only prevents using calls having a condition (MultiFactorAuthPresent) requiring MFA.
In case of using AWS console from a mobile device or using the AWS Console Mobile App, you’re out of luck. Those are not supporting U2F security keys for MFA.
If you’d like to add MFA for a federated user or have several MFA options in use simultaneously, you need to have it configured elsewhere. One option in achieving this could be using Azure AD with the recently added possibility for 5 simultaneous MFA devices. However, U2F is not a supported option in this scenario.
Protecting your most valuable assets against various different attack vectors is not that hard. It's highly advisable to protect your root or local IAM account with some MFA and for added protection you should consider swapping to a U2F based MFA where applicable.