Two new security enhancements have been revealed by AWS. First, passkeys offer extra protection above and beyond a username and password by enabling multi-factor authentication (MFA) for root and IAM users. Second, beginning with the root user account within an AWS Organization, AWS now mandates MFA for root users. Throughout the year, additional accounts will be subject to this obligation.
In a blog post, AWS Principal Developer Advocate Sébastien Stormacq talked about these MFA-related announcements. According to Stormacq, a passkey is a pair of cryptographic keys generated on your device after a service or website registration. Passkeys are used in FIDO2 authentication. It is made up of two connected cryptographic keys: a private key that is securely held on your device (similar to a security key) and a public key that is kept by the service provider. You may sync your private key across devices using services like iCloud Keychain, Google accounts, or password managers like 1Password.
Stormacq also stated that AWS is now requiring multi-factor authentication (MFA) for root users on certain accounts as part of the security-related announcement. The goal of this program, which was first unveiled by Amazon’s Chief Security Officer Stephen Schmidt last year, is to strengthen security for the most private accounts.
This deployment has been done gradually by AWS, beginning with a small number of AWS Organizations management accounts and eventually extending to include the majority of accounts. When logging in, users who do not have MFA enabled on their root account will be prompted to do so. There is a grace period before MFA is required.
Users must go into the AWS interface and navigate to the IAM area in order to enable passkey MFA. Click “Assign MFA device” in the MFA section after choosing the desired user. It’s crucial to remember that giving a user access to numerous MFA devices might enhance their possibilities for account recovery.
Next, choose “Passkey or security key” after naming the device. A password manager that supports passkeys will offer to create and save the passkey if it is currently in use. If not, alternatives will be displayed by the browser (depending on the OS and browser). For instance, a prompt to generate and save the passkey in the iCloud Keychain using Touch ID appears on a macOS computer running a Chromium-based browser. Depending on the user’s choices, the experience changes after this.