Starting 2024, Multifactor Will be an AWS Requirement, Not an Option
In a few months, root user accounts on Amazon Web Services will require multifactor authentication (MFA) to access.
The requirement will start sometime in mid-2024, AWS announced recently. "AWS is further strengthening the default security posture of our customers' environments by requiring the use of multi-factor authentication (MFA), beginning with the most privileged users in their accounts," wrote Amazon Chief Security Officer Steve Schmidt in a blog post explaining the move.
The change will initially affect root AWS user accounts, who "will be required to enable MFA to proceed." Root accounts essentially hold the keys to the kingdom in an organization. They're the first and most empowered identity in an organization's AWS environment, with the ability to make changes and perform actions for all services under the account. For that reason, AWS recommends that organizations limit use of and access to their root accounts, and to avoid having more than one.
Following root accounts, AWS will make MFA the requirement for other user types, including standalone accounts.
AWS has already begun laying the groundwork for more widespread use of MFA among its customers, Schmidt noted. "To help more customers get started on their MFA journey, in fall 2021, we began offering a free MFA security key to eligible AWS account owners in the United States," he wrote. "And in November 2022, we launched support for customers to register up to eight MFA devices per account root user or per IAM user in AWS, creating additional flexibility and resiliency for your MFA strategy."
Schmidt indicated AWS is preparing new capabilities that will help organizations adopt, manage and scale MFA in 2024.