AWS Step-by-Step

Getting Started with MFA for AWS, Part 2: Using a Security Key

In the previous blog post in this series, I explained that Amazon gives you three main options for setting up multi-factor authentication (MFA). Now that I have briefly discussed these options and answered a few questions, I want to show you how the Passkey or Security Key option works.

When it came time to set up MFA for my account, I opted for the Passkey or Security Key option. I really didn't want to have to run an authenticator app on my mobile device, and I didn't have a hardware TOTP token available, so suing a passkey or a security key just seemed like the best option.

Amazon supports a variety of security keys, but the security key that you choose must support FIDO2. As I prepared to write this article, I spent some time looking at the various security keys that are available. Based on the reviews that I read (which may or may not be accurate), people seemed to have the best luck using YubiKey security keys. Initially, I tried using another brand of security key, and even though my key was FIDO2 compliant, I had trouble getting it to work. Incidentally, Amazon has also reported that using a security key on a system that is running Windows 10 may be problematic.

Although every security key vendor does things just a little bit differently, I wanted to give you an overview of what is involved in setting AWS up to use a security key. For the purposes of this article, I am going to assume that the key is being used on a Windows 11 system with either the Edge or Chrome browser installed.

Setting Up a Security Key
To get started, insert the security key and then open Windows Settings and click Accounts, followed by Sign In Options. Now, expand the Security Key section, shown in Figure 1, and then click the Manage button. When you do, you will be prompted to touch your security key. Upon doing so, you will be taken to the Windows Hello dialog box, shown in Figure 2. Click the Change button within the Security Key PIN section, shown in the figure. This will allow you to assign a PIN to the security key. Be sure to remember your PIN. If you forget your PIN then your only option will be to perform a factory reset on the security key.

Figure 1: Click the Manage button found in the Security Key section.
[Click on image for larger view.] Figure 1: Click the Manage button found in the Security Key section.
Figure 2: Click the Change button to configure a PIN for the security key.
[Click on image for larger view.] Figure 2: Click the Change button to configure a PIN for the security key.

Next, go to AWS.com and enter your normal AWS credentials. At this point, you will arrive at a screen like the one shown in the previous article, indicating that you cannot log in without using MFA. This screen also prompts you to choose a MFA method.

Select the Passkey or Security Key option and click Next. When you do, Windows will display a popup, similar to the one shown in Figure 3, asking where you want to save the passkey. Choose the Security Key option, and click Next.

Figure 3: Choose the Security Key Option and Click Next.
[Click on image for larger view.] Figure 3: Choose the Security Key Option and Click Next.

At this point, your browser will display a confirmation message saying that you are about to set up your security key to sign in to aws.amazon.com. The message will go on to indicate the name of the account that will be associated with the security key. You can see what this looks like in Figure 4, although I have hidden my account information for obvious reasons.

Figure 4: Windows Confirms that the Security Key Will Be Used to Log into AWS.
[Click on image for larger view.] Figure 4: Windows Confirms that the Security Key Will Be Used to Log into AWS.

Click OK and you will see a message telling you that Amazon will see the make and model of your security key.

At this point, it's possible that you might see a message telling you to insert your key, even if your key is already inserted. The reason why this can happen is because some keys, like the one that I am using, are designed in a way that makes it possible to accidentally insert the key upside down. As such, if you see a message asking you to insert your key, try removing the security key from the USB slot and flipping it over, and reinserting it. When you do, you will likely see a message telling you to tap the key's touch sensor or to place your finger onto the fingerprint reader if your security key supports biometric authentication.

The next thing that you will need to do is to enter the PIN that is associated with the security key. This is the same PIN that you set up a moment ago. When you are done, you should see a message telling you that you can now use your security key to gain access to AWS, as shown in Figure 5.

Figure 5: You Can Use the Security Key to Log into AWS.
[Click on image for larger view.] Figure 5: You Can Use the Security Key to Log into AWS.

Although the process that I just showed you is relatively straightforward, things can and sometimes do go wrong. As previously mentioned, I had a lot of problems with an "unspecified error" when I was using a generic security key.

If you have trouble getting your security key to work or if you do not have a security key, there is a workaround. You can use Windows Hello in place of a security key. To do so, go to Settings, click Accounts, and then click Sign in Options. When you arrive at the Sign In Options screen, choose the PIN (Windows Hello) option. This will allow you to sign into your PC using a PIN instead of a password and effectively takes the place of a security key.

Before you commit to using a Windows Hello PIN, there are two things that you should know. First, if your PC is not currently using a password, then the Windows Hello options will be listed as Currently Unavailable. You can gain access to Windows Hello by associating a password with your account.

The second thing that you need to know about Windows Hello is that in Windows 11, Windows Hello forces you to associate a Microsoft account with your PC. As such, it's a good idea to make sure that you already have a Microsoft account before attempting to configure Windows Hello.

About the Author

Brien Posey is a 22-time Microsoft MVP with decades of IT experience. As a freelance writer, Posey has written thousands of articles and contributed to several dozen books on a wide variety of IT topics. Prior to going freelance, Posey was a CIO for a national chain of hospitals and health care facilities. He has also served as a network administrator for some of the country's largest insurance companies and for the Department of Defense at Fort Knox. In addition to his continued work in IT, Posey has spent the last several years actively training as a commercial scientist-astronaut candidate in preparation to fly on a mission to study polar mesospheric clouds from space. You can follow his spaceflight training on his Web site.

Featured

Subscribe on YouTube