AWS introduces passkey multi-factor authentication (MFA) for root and IAM users

Contents
Amazon Web Services (AWS) has introduced FIDO2 Passkeys as a new method of multi-factor authentication (MFA) to improve account security and usability. This innovation affects both root and IAM users. With an additional layer of protection, MFA is considered one of the simplest and most effective methods for increasing account security and preventing unauthorized access. FIDO2 passkeys, on the other hand, are physical (hardware keys) or software-based authentication solutions based on cryptographic pairs of public and private keys to sign a request sent by the server and verify authentication attempts. In contrast to one-time passwords, passkeys are robust opponents for phishing and man-in-the-middle attacks. They can also be synchronized, support multiple device and operating system architectures and offer strong authentication thanks to their encryption, which is normally virtually unbreakable.
Activation of the passkey MFA
To enable Passkey MFA, users must select a user in the AWS Identity and Access Management (IAM) section of the AWS console dashboard and assign the desired device in the "Multi-factor authentication (MFA)" section. Users can also enable multiple MFA devices if desired to increase account recovery options and system resilience. Passkeys can be registered via applications such as iCloud Keychain or using any password manager. Users also have the option to use another device such as a smartphone for authentication by scanning a QR code that triggers biometric authentication and stores the passkey.
Mandatory MFA use for root users
Over time, mandatory MFA use for root accounts will begin from July 2024, although the introduction will be gradual and the move will initially only affect a small number of customers. AWS is therefore giving users a certain grace period to adapt to the new security requirements. The introduction of the MFA obligation begins with those root users who have the highest access level and can make significant changes to the AWS environment, as they are particularly susceptible to serious attacks. For these users, a pop-up alert is displayed when they log in to remind them of the new requirement. Root users of member accounts in AWS organizations and general user accounts are not initially required to enable multi-factor authentication, but are strongly encouraged to do so promptly for their own security.
Future plans and security obligations
In the future, AWS plans to extend the MFA requirements to other user categories, with details to be announced later in the year. According to AWS, the introduction of this security measure is part of the cloud provider's ongoing commitment to improving the security posture of its customers. Amazon has also recently committed to promoting MFA usage by signing up to the Cybersecurity and Infrastructure Security Agency's (CISA) Secure by Design initiative.
The bottom line is that with the introduction of Passkey MFA, AWS is providing its users with an improved method of securing their accounts. The use of cryptographic keys and biometric authentication ensures a higher level of security that protects against unauthorized access. The ability to use multiple MFA devices further enhances security and facilitates recovery in the event of device loss.
AWS Security Best Practices
The course "AWS Security Best Practices" provides an overview of security best practices and helps you better understand your own responsibilities. You will learn how to secure your network infrastructure, optimize and securely manage your computing resources, and monitor and respond to suspicious events. The course also covers topics such as securing the network, Amazon EC2 security and monitoring with Amazon CloudWatch.