Amazon Web Services (AWS) is adding support for FIDO2 passkeys as a multi-factor authentication (MFA) option, as the cloud giant prepares to boost the security requirements around more user accounts.
Back in October last year, AWS said it would begin to require MFA for the most privileged users on an AWS account, starting with AWS Organizations management account root users.
Starting next month, root users of standalone accounts (by which AWS means those that aren’t managed with AWS Organizations) will be required to use MFA when signing in to the AWS Management Console.
This policy change will start with a small number of customers and increase over a period of months. Customers will have a grace period to allow them to upgrade to MFA, and they will be reminded about it at sign-in.
AWS said this change does not apply to the root users of member accounts in AWS Organizations. It said there will be more information about the MFA requirements for remaining root user use cases, such as member accounts, later in the year.
MFA can come in many forms but generally means going beyond the classic user-name-and-password combination which, it has turned out, is a pretty flimsy way of securing accounts online. That’s because passwords are too easy to crack or re-use across different services.
They’re easily shared, lost or stolen, all of which is why many data leaks and hacks often start with attackers being able to access systems with some form of legitimate but compromised credentials. Stolen credentials or leaked credentials has been seen as one of the biggest risks to cloud infrastructure.
As cloud security improves, attackers are finding that obtaining valid credentials is an easier route. According to research by IBM earlier this year, cloud account credentials make up 90% of the for-sale cloud assets on the dark web.
As AWS extends the need for customers to use MFA it is also giving them another option to choose from in the form of FIDO2 passkeys.
“When used as MFA, passkeys provide enhanced security for human authentication in a user-friendly manner. You can register and use passkeys today to enhance the security of your AWS console access,” said Arynn Crow, senior manager of user authentication products for AWS Identity.
“This will help you to adhere to AWS default MFA security requirements as those roll out to a larger group of customers starting in July.
“We strongly encourage you adopt some form of MFA anywhere you’re signing in today, and especially phishing-resistant MFA, which we’re excited to enhance with FIDO2 passkeys.”
Passkeys are already used widely to improve account security (you can already use them to secure your Amazon shopping account for example). Passkeys are FIDO2 credentials, which use public key cryptography to provide strong, phishing-resistant authentication, but can be backed up and synced across devices and operating systems rather than being stored on physical devices like a USB-based key.
Whether you want to use passkeys or something else, AWS said that any type of MFA is better than no MFA at all.
“MFA is one of the simplest but most effective security controls you can apply to your account, and everyone should be using some form of MF,” the firm said.
RELATED WHITEPAPER
AWS points out that phishing and social engineering attacks that target users who use one-time codes for MFA, like the ones sent to your phone, have increased.
Because using this option means you need to read the number or code from the device and enter it manually, attackers can also try to get users to read the code out to them instead, thereby bypassing the value of MFA. Passkeys aren’t vulnerable to this.
AWS said that if your organization is already using another form of MFA like a non-syncable FIDO2 hardware security key or authenticator app, the question of whether or not you should migrate to syncable passkeys is dependent on your or your organizations’ uses and requirements.
“Because their credentials are bound only to the device that created them, FIDO2 security keys provide the highest level of security assurance for customers whose regulatory or security requirements demand the strongest forms of authentication, such as FIPS-certified devices,” the cloud giant said.
-
Microsoft just hit a major milestone in its ‘zero waste’ strategyNews Microsoft says it's outstripping its zero waste targets, recording a 90.9% reuse and recycling rate for servers and components in 2024.
-
Dell names Lisa Ergun as new Client Solutions Group channel lead for the UKNews Dell Technologies has announced the appointment of Lisa Ergun as its new Client Solutions Group (CSG) channel lead for the UK.
-
The Wiz acquisition stakes Google's claim as the go-to hyperscaler for cloud security – now it’s up to AWS and industry vendors to reactAnalysis The Wiz acquisition could have monumental implications for the cloud security sector, with Google raising the stakes for competitors and industry vendors.
-
AWS expands Ohio investment by $10 billion in major AI, cloud pushNews The hyperscaler is ramping up investment in the midwestern state
-
Microsoft hit with £1 billion lawsuit over claims it’s “punishing UK businesses” for using competitor cloud servicesNews Customers using rival cloud services are paying too much for Windows Server, the complaint alleges
-
AWS re:Invent 2024 live: All the news and updates from day-three in Las VegasLive Blog ITPro is live on the ground in Las Vegas for AWS re:Invent 2024 – keep tabs on all the news and updates from day-three here
-
Westcon-Comstor bags major European distribution deal with AWSNews The company plans to launch a dedicated European AWS cloud business unit
-
AWS opens physical sites for fast data uploads – but it could cost you up to $500 an hourNews Amazon Web Service (AWS) has launched a new Data Transfer Terminal service to allow customers to upload data to the cloud from a physical site.
-
Microsoft's Azure growth isn't cause for concern, analysts sayAnalysis Azure growth has slowed slightly, but Microsoft faces bigger problems with expanding infrastructure
-
The Open Cloud Coalition wants to promote a more competitive European cloud market – but is there more to the group than meets the eye?Analysis The launch of the Open Cloud Coalition is the latest blow in a war of words between Microsoft and Google over European cloud
