AWS Makes Significant Progress on Driving MFA Adoption
Amazon Web Services (AWS) is reporting that since last April more than 750,000 root user accounts on its AWS Organizations console for managing access to cloud services have enabled multifactor authentication (MFA).
Arynn Crow, senior manager for user authentication products at AWS. said the ultimate goal is to require all users with root access to have MFA in place by the spring of next year.
Those requirements are part of a larger Secure by Design initiative that includes FIDO2 passkey support added to the AWS Identity and Access Management (IAM) service last June. Since then, AWS has seen a 100% increase in the adoption of passkeys, noted Crow.
Passkeys are digital credentials that enable end users to log into accounts using, for example, fingerprints that are registered to a specific device instead of continuing to use passwords that are more easily compromised. Since adding passkeys support for this strongest form of MFA there has been a 100% increase in adoption, said Crow.
At the same time, AWS is also making it simpler to centrally manage root access to accounts in a way that makes it simpler to eliminate passwords that are no longer being used. IT teams can enable centralized root access with a configuration change made via the IAM console or the AWS command line interface (CLI).
There is, of course, no such thing as perfect security, but reducing the number of passwords being used or eliminating them altogether will go a long way to improving cloud security. After all, the number one threat to any IT environment remains phishing attacks through which cybercriminals steal credentials. Many of those cybercriminals are now using those credentials to inflict the maximum amount of damage possible by mimicking the normal behavior of an employee or customer for months.
It’s not clear how long it might be before MFA is ubiquitous but resistance to them is declining rapidly as more consumer-oriented websites now routinely require them. Those approaches may be as simple as using a text message to confirm an identity, but as more individuals are exposed to some type of MFA the less likely they are to view MFA as an intrusion. Instead, MFA is increasingly viewed as a signal that an organization values the security of the services being provided.
In general, password management remains unwieldy. End users either opt to rely on simple passwords that are easily compromised, or they continually make requests to change complex passwords they can’t remember. Very few will take the time to set up a password manager. Of course, constantly rotating passwords might be considered a best cybersecurity practice but it’s incumbent on application providers to make it easier to securely access services.
It may be a very long while before passwords are eliminated from the pantheon of cybersecurity tools employed. In one form or another, passwords have been employed by humanity since the dawn of civilization. However, now that passwords are required to access any digital service, their limitations are being keenly felt by not just cybersecurity and IT professionals, but also now, increasingly, end users themselves.
