Amazon Web Services (AWS) is adding support for FIDO2 passkeys as a multi-factor authentication (MFA) option, as the cloud giant prepares to boost the security requirements around more user accounts.
Back in October last year, AWS said it would begin to require MFA for the most privileged users on an AWS account, starting with AWS Organizations management account root users.
Starting next month, root users of standalone accounts (by which AWS means those that aren’t managed with AWS Organizations) will be required to use MFA when signing in to the AWS Management Console.
This policy change will start with a small number of customers and increase over a period of months. Customers will have a grace period to allow them to upgrade to MFA, and they will be reminded about it at sign-in.
AWS said this change does not apply to the root users of member accounts in AWS Organizations. It said there will be more information about the MFA requirements for remaining root user use cases, such as member accounts, later in the year.
MFA can come in many forms but generally means going beyond the classic user-name-and-password combination which, it has turned out, is a pretty flimsy way of securing accounts online. That’s because passwords are too easy to crack or re-use across different services.
They’re easily shared, lost or stolen, all of which is why many data leaks and hacks often start with attackers being able to access systems with some form of legitimate but compromised credentials. Stolen credentials or leaked credentials has been seen as one of the biggest risks to cloud infrastructure.
As cloud security improves, attackers are finding that obtaining valid credentials is an easier route. According to research by IBM earlier this year, cloud account credentials make up 90% of the for-sale cloud assets on the dark web.
As AWS extends the need for customers to use MFA it is also giving them another option to choose from in the form of FIDO2 passkeys.
“When used as MFA, passkeys provide enhanced security for human authentication in a user-friendly manner. You can register and use passkeys today to enhance the security of your AWS console access,” said Arynn Crow, senior manager of user authentication products for AWS Identity.
“This will help you to adhere to AWS default MFA security requirements as those roll out to a larger group of customers starting in July.
“We strongly encourage you adopt some form of MFA anywhere you’re signing in today, and especially phishing-resistant MFA, which we’re excited to enhance with FIDO2 passkeys.”
Passkeys are already used widely to improve account security (you can already use them to secure your Amazon shopping account for example). Passkeys are FIDO2 credentials, which use public key cryptography to provide strong, phishing-resistant authentication, but can be backed up and synced across devices and operating systems rather than being stored on physical devices like a USB-based key.
Whether you want to use passkeys or something else, AWS said that any type of MFA is better than no MFA at all.
“MFA is one of the simplest but most effective security controls you can apply to your account, and everyone should be using some form of MF,” the firm said.
RELATED WHITEPAPER
AWS points out that phishing and social engineering attacks that target users who use one-time codes for MFA, like the ones sent to your phone, have increased.
Because using this option means you need to read the number or code from the device and enter it manually, attackers can also try to get users to read the code out to them instead, thereby bypassing the value of MFA. Passkeys aren’t vulnerable to this.
AWS said that if your organization is already using another form of MFA like a non-syncable FIDO2 hardware security key or authenticator app, the question of whether or not you should migrate to syncable passkeys is dependent on your or your organizations’ uses and requirements.
“Because their credentials are bound only to the device that created them, FIDO2 security keys provide the highest level of security assurance for customers whose regulatory or security requirements demand the strongest forms of authentication, such as FIPS-certified devices,” the cloud giant said.
-
Upcoming webinars not to be missedWebinar Sign up for these free webinars to help inform decision-making and get the most value out of IT today and tomorrow
-
‘Polyworking’ is a cybersecurity nightmare waiting to happenNews Particularly popular with Gen Z, so-called polyworking brings huge cybersecurity risks
-
‘Misses the mark’: Microsoft, AWS hit out at CMA cloud competition reportNews The CMA claims Microsoft and AWS are harming competition – the duo strongly disagree
-
US companies dominate the European cloud market – regional players are left fighting for scrapsNews Synergy data shows EU providers hold just 15% of the market despite rise in AI and drive for cloud sovereignty
-
Three of the biggest announcements from AWS Summit New YorkNews AWS may be known as a cloud services provider, but its pivot to AI services has taken the limelight
-
AWS misses quarterly revenue expectations – but Andy Jassy is still upbeatNews Jassy highlighted a number of key areas of interest after AWS' quarterly earnings results
-
The Wiz acquisition stakes Google's claim as the go-to hyperscaler for cloud security – now it’s up to AWS and industry vendors to reactAnalysis The Wiz acquisition could have monumental implications for the cloud security sector, with Google raising the stakes for competitors and industry vendors.
-
AWS expands Ohio investment by $10 billion in major AI, cloud push
News The hyperscaler is ramping up investment in the midwestern state
-
Microsoft hit with £1 billion lawsuit over claims it’s “punishing UK businesses” for using competitor cloud servicesNews Customers using rival cloud services are paying too much for Windows Server, the complaint alleges
-
AWS re:Invent 2024 live: All the news and updates from day-three in Las VegasLive Blog ITPro is live on the ground in Las Vegas for AWS re:Invent 2024 – keep tabs on all the news and updates from day-three here
