Setting Up MFA Using Hardware Devices
Setting up MFA using one of the hardware device options is similar to that of virtual authentication applications. It involves the following slight changes:
- Get a hardware MFA Device: To enable MFA authentication using one of the hardware devices you must first arrange one of these devices.
- FIDO Security Keys: FIDO certified security keys are can be ordered for free from AWS console for US based customers. Other users can buy keys like Yubico for themselves. Then the process of adding these to their accounts is:
- Login to the AWS Management console and in the Navigation bar on the upper right corner, select your account for which you wish to add the security key
- . From the drop down shown below, choose the option security credentials.
- This will take you to IAM Global console where you can manage the overall security of your account.
- Next, on the AWS iam console, scroll down to see your MFA devices listed. Click on the add Assign MFA Device option.
- Select a suitable name for your device and choose the option Security Keys from the list as shown below. Then click on Next.
- Next, connect the device to your computer. And tap it. This successfully configures your security key for use with AWS. Next time you login into your AWS account, you will need to use your security keys.
- Hardware TOTP Tokens: To add these devices for MFA follow the following steps:
- Login to the AWS Management console and in the Navigation bar on the upper right corner, select your account for which you wish to add the security key.
- From the drop down shown below, choose the option security credentials.
- This will take you to IAM Global console where you can manage the overall security of your account.
- Next, on the AWS IAM console, scroll down to see your MFA devices listed. Click on the add Assign MFA Device option.
- Select a suitable name for your device and choose the option Security Keys from the list as shown below. Then click on Next.
- After clicking on next you will be taken to a new page where you will have to enter the serial number of your hardware device that is located on it’s back.
- Fill in this serial number on the designated field. Start the device. You will see a six digit MFA code. Enter it into the first field and wait for 30 seconds.
- A new MFA code will appear. Enter it into the second field and click on Add MFA button.
- This successfully adds the TOTP hardware device to the account. Please refer the screenshot below for your reference.
How To Implement MFA For AWS Account
MFA stands for Multi-Factor Authentication. In AWS, it acts as a second layer of security to protect AWS accounts. Even if someone knows your password, they cannot access your account because they do not have your physical device. This is what it aims to achieve and it is a highly recommended security standard in organizations everywhere. Every account in AWS can have up to 8 security keys. In this article, we will understand how we can implement MFA in an AWS Account.