Add An Extra Level Of Security To Your Amazon AWS Account With YubiKey And Multi-factor Authentication (MFA)

Photo by Adli Wahid on Unsplash

Using A YubiKey For the AWS Root User

After registering to AWS your account is only secured by a username and a (hopefully) strong password. If you want to add an extra layer of security on top of that AWS supports Multi-factor authentication (MFA) [1],[2]. You can either secure your AWS account or an individual IAM (Identity & Access Management) user. In this tutorial, we’re enabling MFA for the root user of your AWS account.

MFA Setup and configuration will be done within the IAM service
Using MFA gives you an extra layer of security and only takes a minute or two to setup
Use option U2F security key for registering your Yubikey
Tap the little golden disk and you’re ready to go.

Theory Behind Using U2F Keys As A MFA Method

Amazon AWS supports only U2F compatible hardware keys for two-factor authentication (2FA). U2F stands for Universal 2nd Factor [3] which is an open standard defined by the FIDO Alliance [4]. The consortium has members such as Google, yubico, Amazon, Intel, Infineon, Microsoft and many others. Often U2F is titled FIDO1. The successor FIDO2 allows login even without an initial password. A FIDO2 compatible hardware key will most likely support FIDO1.

U2F Technical Overview [5]

Summary

It takes you only a minute or two to enable MFA with a U2F security key like Yubikey but it provides you a significant amount of additional security to your account. MFA should always be considered where a cloud provider is offering it. The cost for a Yubikey starts around 20$ which is a very good investment. In comparison to a One-Time Password generator such as the Google Authenticator app, handling of a U2F security key is much easier. Countless failed login attempts with the Authenticator app where I have just entered the generated password that expired before I could even hit enter are testament to this.

References

  1. [Amazon IAM Multi-factor Authentication] https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html
  2. [Wikepedia: Multi-factor authentication] https://en.wikipedia.org/wiki/Multi-factor_authentication
  3. [Wikepedia: U2F] https://en.wikipedia.org/wiki/Universal_2nd_Factor
  4. [FIDO Alliance] https://fidoalliance.org
  5. [U2F Technical Overview] https://developers.yubico.com/U2F/Protocol_details/Overview.html

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Frank Haubenschild

Frank Haubenschild

53 Followers

Dad, Software Engineer, Photographer, Reef- & Bee-Keeper, Founder, Drone Pilot — 🤓 💻 📷 🐝 🐠 💡👨‍✈️