News

Mandatory MFA for AWS Accounts Takes Effect

• By Gladys Rama
• 06/11/2024

As promised, Amazon Web Services (AWS) is beginning to make multifactor authentication (MFA) a requirement for its account holders.

AWS gave advance notice of the requirement last October. This week, it began to take effect, as AWS confirmed in a pair of blogs Tuesday.

Currently, the change only affects root users of AWS Organizations management accounts, who are typically the most privileged users in an AWS customer's environment. Starting July, the requirement will be applied to root users of standalone accounts.

Users will be prompted to set up MFA when they sign into their AWS Management Consoles. They'll be given a grace period (the AWS blogs didn't specify how long) before they'll be required to activate MFA.

The MFA requirement rollout will be gradual, starting with "just a few thousand accounts at a time," according to AWS' Sébastien Stormacq, and is expected to take place over a period of months.

There are some exceptions. "This change does not apply to the root users of member accounts in AWS Organizations," indicated AWS' Arynn Crow. "We will share more information about MFA requirements for remaining root user use cases, such as member accounts, later in 2024 as we prepare to launch additional features to help our customers manage MFA for larger numbers of users at scale."

In addition, the requirement will not apply to accounts in the AWS GovCloud region or to those in the Beijing and Ningxia regions (both in China). Accounts in these regions do not have root user credentials.

Support for FIDO2 Passkeys
As part of its push to enforce MFA for its users, AWS also on Tuesday announced new support for passkeys as another authentication option besides passwords.

Passkeys are a passwordless method of authentication based on FIDO2 security specifications. They're considered more immune to phishing attacks than password-based authentication because they don't rely on user credentials that can be easily stolen through malicious Web sites.

Instead, passkeys use public-key cryptography, user verification (often done through biometric sensors), and credentials that are tied to the domain that originally created them.

AWS is strongly encouraging customers to use FIDO2 passkeys in addition to passwords when setting up MFA for their accounts.

"You can register and use passkeys today to enhance the security of your AWS console access," Crow said. "This will help you to adhere to AWS default MFA security requirements as those roll out to a larger group of customers starting in July."

However, she noted that "any type of MFA is better than no MFA at all."