Add An Extra Level Of Security To Your Amazon AWS Account With YubiKey And Multi-factor Authentication (MFA)
Increasing the security of your AWS account is quite easy and takes only a minute or two. Besides something you know — your username and password — you can add an extra layer of protection to your account with something you have — your MFA hardware key.
Using A YubiKey For the AWS Root User
After registering to AWS your account is only secured by a username and a (hopefully) strong password. If you want to add an extra layer of security on top of that AWS supports Multi-factor authentication (MFA) ,. You can either secure your AWS account or an individual IAM (Identity & Access Management) user. In this tutorial, we’re enabling MFA for the root user of your AWS account.
To secure your AWS account go to the AWS Management Console, click your username within the main menu, and select the option My Security Credentials which will redirect you to the corresponding page of the IAM service.
Next, open up the tab Multi-factor authentication (MFA) by pressing the button Activate MFA.
AWS MFA supports two options in general. The first option is to use a Virtual Device which is either an app on your mobile device or an application installed on your computer. Google Authenticator is probably one of the most frequently used app in this area. These kinds of apps are generating so-called Time-Based One-Time Passwords (OTP) which the user has to enter after successfully authenticating first using a username and password. The second option is to use a real hardware device which you have to insert into the USB port of your computer after you have successfully authenticated first with your username and password. The company yubico and its Yubikey series is a key player in this field. This article focuses on the option U2F security key which you have to select to register your YubiKey.
In the next step insert your Yubikey into a USB port and tap the little golden disk.
If the registration process has successfully passed then your account is now secured by a second factor of security - your Yubikey.
From now on you will see the following dialog after you have entered your username and password which requests you to insert your Yubikey to prove the second factor of the sign-in process.
Theory Behind Using U2F Keys As A MFA Method
Amazon AWS supports only U2F compatible hardware keys for two-factor authentication (2FA). U2F stands for Universal 2nd Factor  which is an open standard defined by the FIDO Alliance . The consortium has members such as Google, yubico, Amazon, Intel, Infineon, Microsoft and many others. Often U2F is titled FIDO1. The successor FIDO2 allows login even without an initial password. A FIDO2 compatible hardware key will most likely support FIDO1.
If your Yubikey gets registered for the MFA process a key-pair consisting of a private and public key gets stored on the hardware key itself. This key-pair depends on data like the server address, TLS-certificate, and some randomly generated session id (token). Within the registration process, the public key and a randomly generated key handle get transferred to the server and stored there. For each authentication process later  the service transmits back the user’s key handle and additional data like server address and session id. The U2F hardware key now signs a so-called challenge c and sends it back to the server. The server can now use the stored public key of the registered U2F hardware key for the final authentication.
It takes you only a minute or two to enable MFA with a U2F security key like Yubikey but it provides you a significant amount of additional security to your account. MFA should always be considered where a cloud provider is offering it. The cost for a Yubikey starts around 20$ which is a very good investment. In comparison to a One-Time Password generator such as the Google Authenticator app, handling of a U2F security key is much easier. Countless failed login attempts with the Authenticator app where I have just entered the generated password that expired before I could even hit enter are testament to this.
- [Amazon IAM Multi-factor Authentication] https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html
- [Wikepedia: Multi-factor authentication] https://en.wikipedia.org/wiki/Multi-factor_authentication
- [Wikepedia: U2F] https://en.wikipedia.org/wiki/Universal_2nd_Factor
- [FIDO Alliance] https://fidoalliance.org
- [U2F Technical Overview] https://developers.yubico.com/U2F/Protocol_details/Overview.html