SBN

Multi-factor Authentication

What is the need for Multi-factor Authentication (MFA)?

The most common way used to secure any account (or application) is using a password and username or email. This method of login provides only a single layer of security and the credentials can be compromised by using methods like brute force atttack ,which takes a long time, but if your password is something which is of commom knowledge then it will be cracked, also if someone has eavesdropped on you while you were entering your credentails then your account is also compromised. Hackers use social engineering tactics to reveal some of your personal information so that they use the same information to crack your password. So in order to make accounts more secure MFA is the key.

Multi-factor Authentication (MFA) for IAM

Multi-factor authentication requires the user to provide more than one verification factors to gain access to an account. The first factor for authentication can be username and password, the subsequent ones can be verification through a virtual MFA device where a six digit OTP code is displayed on your personal mobile phone which uses an authenticator app like Google Authenticator for the account, the OTPs can also be received on your email or through SMS. Another more secure way is using a hardware token generator or using a YUBI key which uses biometrics(fingerprint) for authentication.

Note: As a security best practise root account should not be used to manage access to your account.

FIDO security keys

The hardware security key is provided by some third party like Yubico. The security key is connected to the USB port and the authentication is done with the fingerprint of the user. The FIDO key supports multiple root accounts and IAM users using a single security key.

Virtual authenticator app

The virtual authenticator app uses time-based-one-time-password. When you login with username and password you are also prompted to provide a OTP which is rotated after a few seconds in the authenticator app.

TOTP hardware tokens

Hardware tokens also use TOTP algorithm to generate one time password as used in the virtual authenticator app.

Use cases for multiple MFA devices

  • You can use multiple MFA devices for a single account. While authenticating you can use either of the MFA device. If you lose one of the MFA device you can use the other MFA device to login.
  • If the user of MFA device is unavailable you can use the the other MFA device to maintain access.
  • Additional MFA devices can be securely stored in a locker or safe for emergency uses.

Multi-factor Authentication (MFA) for IAM

To register an MFA device

  • For a root user, choose My Security Credentials.
  • For an IAM user, choose Security credentials.

Choose IAM security credentials - Cloudanix

  • For Multi-factor authentication (MFA), choose Assign MFA device.
  • Select the type of MFA device that you want to use and then choose Continue.
  • Give a name to the MFA Device

Naming MFA device - Cloudanix

To register another MFA device

  • Go to IAM Users click on Security Credentials
  • Assign MFA device

Asigning MFA device - Cloudanix

  • You Can select now a Security Key like YUBI key

Selecting new security key - Cloudanix

  • Now you have two MFA devices registered for the User

To login with MFA

  • Sign in to AWS console.
  • Enter your username and password.
  • For Additional verification required select the type of MFA device that you want to use to continue. authenticating, and then choose Next
  • If you are using a FIDO key you will get the following.

  • Select USB security key for FIDO key or you can select Virtual MFA device if it is setup for the user.

Conclusion

In this blog we learned what is MFA and why it is required. We saw how we can setup multiple MFA devices for AWS root user or IAM user. We also learned what are the advantages of using multiple MFA devices .Multiple MFA is now available in AWS except for customers in AWS GovCloud US regions or in China regions. MFA service otherwise is available at no extra cost.

*** This is a Security Bloggers Network syndicated blog from Blog authored by Abhiram. Read the original post at: https://blog.cloudanix.com/multi-factor-authentication/