AWS Identity and Access Management (IAM) best practice is to require all IAM and root users in your account to sign into the AWS Management Console with multi-factor authentication (MFA). When MFA is enabled, AWS prompts users for their username and password (the first factor – what they know) and also provides an authentication challenge […]
AWS allows only Yubikey U2F, not any other U2F hardware vendor. It is even written in their announcement - they write "use Yubikey", not "use any U2F token". I recommend writing them they should support all U2F tokens, not just vendor-lock to one vendor.
I have a Yubikey, but I can't use this because it's only supported for console access in particular desktop browsers. Since a user can only have one MFA, switching to the Yubikey means I wouldn't be able to use the CLI, mobile, or apps that use the API.
Something else to add, it’s only on the AWS site that I see the pop up asking to see the make and model of the security key. Everywhere else it just goes through. This will be related to the issue by the looks of it.
I just updated the Trezor to the latest version to see if it was that, no difference.
This is literally hot off the press with AWS so possibly teething issues. When you try to follow their link on the modal pop up for ‘supported configurations’ for using U2F security keys, it gives a missing page, same for the troubleshoot U2F link that appears in bottom left corner 🤷🏻♂️
Yep, it’s infuriating. Apart from getting hacky with a u2fzero, I don’t know of any other way apart from Trezor that you can technically reproduce the same U2F token.
Whilst that might not be seen as desirable, I’ve found that few implementors provide the option for providing multiple tokens.
Shame on AWS.
A 1:1 for a device that could fail at some point, especially if it is tied to the root account could be devastating. Is there a plan for AWS to help us out if the YubiKey for the root account goes bad or gets corrupted?
Wouldn't you have the same problem with a virtual MFA (i.e. Google Authenticator) if your phone fails? How does using the hardware key make the problem worse. Because I'm guessing my Yubikey is more reliable than my phone.
There are TOTP apps which back up to the cloud or in other ways, and which you can set up across multiple devices easily.
Google Authenticator is woefully behind in those aspects, and I wish people would stop treating it like the TOTP quasi-standard.
(/GNU Terry Pratchett)
This seems to be fairly typical of Google, giving the user options doesn't appear to be big on their list of priorities. Personally, I am happy to accept the risk factor in having the option to restore two dozen TOTP tokens to a new device, instead of having to spend the time getting them all revoked and recreated.
(/GNU Terry Pratchett)
My phone has way more assurances than a yubikey. My phone is physically waterproof and I can find it through gps if I lose it, and the timed password turns every minute. My yubikey I use for work is an exposed chip and not sure about durability. I'll probably pass on this until I'm forced by my company to make the change.
agree! Having only a single second factor is very dangerous. I don't feel comfortable with that.
For G-Suite I can either ask one of the the other admins if I loose my second factor or take the backup codes out of the company safe.
Did anybody loose their root mfa? What happens then? There must be some sort of default process in AWS....
I've lost it once. Had to prove ownership via the phone number registered to the root user. It wasn't fun.
I keep a printout of the QR code for the root MFA locked up so that won't happen again.
I've been waiting a long time for this.
Only being able to tie one device to an account is an interesting limitation though - Google for example makes it really clear you should assign a backup device.
Yeah I’d like multiple devices. I have one token on my keyring and a backup in a safe place. For users other than the root user you could create a second user associated with your backup token (maybe only authorize it to reset the MFA on the primary user or something)
In AWS you can have multiple identities. I would create one just for recovery that has super limited access.
I’m imagining one for resetting passwords which requires it’s own MFA and another that can reset MFAs that requires its own password.
Seems way over complicated, but so does AWS in general ;) that said... will that work with the root account too? I would find it odd if you could affect root credentials from an IAM account but I’m not well versed enough in AWS to know for sure.
FWIW there’s this recommendation as well:
[...we recommend that you delete your root user access keys and then create AWS Identity and Access Management (IAM) user credentials for everyday interaction with AWS. For more information, see Lock away your AWS account (root) access keys in the IAM User Guide...](https://docs.aws.amazon.com/general/latest/gr/root-vs-iam.html)
With a root account, if you can prove ownership of the email address it's connected to, Amazon Support will remove the MFA requirement for a single login, and stay on the phone with you while you login. It's less than optimal, but at least there's a system in place for them to do it.
While this is a great step forward for U2F adoption, AWS made the same mistake several other online services have made by only allowing a single key per account. The typical U2F user carries at least two keys. (one on their person and one stored securely for backup) I hope they decide to change this because it will cause a ton of customer support problems in their future.
Key note: U2F isn't currently supported in the API, CLI or mobile apps. Docs are unclear as to what the fallback 2FA is, if there is one. Also, as before, you can only have one 2FA method configured at a time, so say goodbye to your hardware tokens or TOTP configurations for AWS if you switch to U2F.
EDIT: "Fallback" is to have root account remove your IAM user 2FA. If root account 2FA is lost they have a few alternative verification options like email or phone call. 
It's frustrating that they only allow a single key. I use 4 different hardware U2F devices. Google, GitHub, Dropbox, and every other service on which I've set up U2F have always allowed me to attach all of my security keys. It seems like AWS is about 3 years behind on this stuff.
- Requiring the attestation cert and not accepting a self-signed one—which U2F devices will magically not work? I don’t know, but apparently it’s strictly Yubikeys now.
- Still not convinced anyone seriously uses the console except for root accounts, where AWS forces you to.
- Only one U2F key? Bad. Only one U2F key and overall only one MFA method at all, disabling MFA where it matters most? Baffling.
- The legacy U2F API instead of just using WebAuthn already?
This is one of those things where I keep thinking I should just open source the SAML thing that safely gets an assertion to your CLI where you can assume-role with it, but who knows when AWS is going to decide to reimplement your project.
So, what i never understood about this flow is that only admins can set up mfa. A non admin (any account without IAM permissions) has no way to set up mfa unless an admin does it for them. Currently, I have to have the person tell me their mfa codes next to me, so I van type them in and set it up. How does this work for U2F? Do I have to use their usb device on my computer to allow them to have MFA?
It's such a chicken and egg problem.
Can you have more than one YubiKey associated with an AWS account? Or also setup TOTP, or have a set of backup codes in case you lost your hardware device? Seems kind of dangerous if you can only have one MFA method setup