Logging in to the AWS Management Console supports multi-factor authentication (MFA).
One-time passwords (TOTP) that can be used on smartphones such as Google Authenticator are often used, but authentication devices such as YubiKey can also be used.
Click here to purchase a YubiKey
This article introduces how to set up multi-factor authentication login to the AWS management console using YubiKey.
Unlike one-time passwords, you don't have to worry about entering passwords, so I think this is more convenient to use.
Previously, only one device could be set per user, but now it is possible to set multiple devices.
AWS has changed its specification over time.
Any authentication device that supports FIDO can be used. Currently, FIDO2 is the latest standard when it comes to FIDO, but AWS uses U2F (FIDO1 in a nutshell) function among FIDO. Therefore, slightly older FIDO keys such as YubiKey 4 can also be used.
I would like it to support FIDO2 if possible.
Table of Contents
Now let's set up multi-factor authentication.
Prepare for Setting
Multi-factor authentication can be set by logging in to the AWS console and setting it yourself, or by an administrator user setting for another user.
This time, I will introduce the procedure to set it as an IAM user.
To configure settings for another user, log in to the AWS console as a administrator user. Open "User" settings in "IAM", select target user, amd click "Muti-factor authentication (MFA)" in "Authentication information" to set up authentication device registration in the same way as in the article.
For the setting, the operating IAM user must have permission to set up multi-factor authentication. If you do not have the authority, set the authority in advance as necessary.
Permission to register for multi-factor authentication
iam:EnableMFADevice
Permission to delete registered multi-factor authentication
iam:DeactivateMFADevice
Registration Setting Procedure
The following steps are performed in the following environment.
Browser: Edge 109.0.1518.70
Authentication Device: YubiKey 5 NFC
First, log in to the AWS console as usual.
After logging in, click your name in the top right, then click "Security credentials".
Click the "Assign MFA device" button under "Multi-factor authentication (MFA)".
Enter any device name, select "Security Key" and click "Next".
Security key setup will start.
Click "OK" to proceed.
Then click "OK".
If the YubiKey is not connected to USB, you will be prompted to do so.
Connect your YubiKey to a USB port.
After connecting the YubiKey, you will be prompted for a PIN.
In the case of a fingerprint type authentication device, a fingerprint verification will be asked instead of PIN input.
Also, PIN input will not be displayed for FIDO authentication devices that do not support PIN or fingerprints(※).
※ Slightly old devices that do not support FIDO2 (U2F only), such as YubiKey 4.
A message will appear asking you to touch your YubiKey.
The letter "Y" of the connected YubiKey will light up, so touch it.
登録が完了するとこのようなメッセージが表示されます。
Looking at the contents, it seems that up to 8 authentication devices can be registered.
※ After registering a maximum of 8 devices, the "Assign MFA device" button will be disabled.
The added key will be displayed in the list.
When I thought: "Where can I check the entered device name?", it was included in the "Identifier".
The setting is completed.
You will now have multi-factor authentication on your next login.
Login Confirmation Procedure
Sign out once, and try to use the YubiKey when logging in.
Display the login screen of the AWS console.
Enter your username and password to sign in.
You will be asked to connect a security key as additional verification.
When you connect the YubiKey to USB, you will be asked to touch your key.
You will not be asked to enter a PIN when logging in. It's how U2F works.
Touch your YubiKey.
If the authentication is successful, the console screen will open.
You were able to successfully log in with multi-factor authentication using YubiKey.
Register Other Authentication Devices
I used YubiKey5 NFC in the procedure, but you can use any authentication device that supports FIDO.
I will try to register with other authentication devices sold by our company.
YubiKey Bio (Yubico)
※ My YubiKey Bio is Type C, but I don't have a Type C connection port on my PC, so I used a USB adapter.
YubiKey Bio is a device that can perform FIDO2 biometric authentication (fingerprint).
Idem Key (GoTrust)
Idem Key is an authentication device that sets a FIDO2 PIN, just like YubiKey5 NFC.
ATKey.Pro (AUTHENTREND)
ATKey.Pro is an authentication device that can perform FIDO2 biometric authentication (fingerprint).
YubiKey4 (Yubico)
YubiKey4 is a U2F device. ※ Currently not available.
All of these authentication devices could be used.
From here on, it's a small story level, but the operation at the time of registration and authentication differs slightly depending on the device.
The authentication devices tested this time can be divided into the following types:
FIDO2 (PIN) …YubiKey5 NFC, Idem Key, etc.
FIDO2 (biometric authentication) …YubiKey Bio, ATKey.Pro, etc.
FIDO U2F …YubiKey4, etc.
And the behavior for each type is as follows:
At registration:
FIDO2 (PIN): Touch after entering a PIN
FIDO2 (biometric authentication): biometric check + touch
FIDO U2F: touch only
At authentication:
FIDO2 (PIN): touch only
FIDO2 (biometric authentication): biometric check + touch
FIDO U2F: touch only
Since the implementation on the AWS side is U2F, if the authentication device used is FIDO2, the behavior seems to change little by little.
Summary
By setting up multi-factor authentication using YubiKey, you can log in more securely and easily.
As I wrote at the beginning, the one-time password (TOTP) is convenient because it can be used with a smartphone. But as the number of IDs to be used increases, it becomes difficult just to search for the right ID. And it is surprisingly troublesome to enter the TOTP each time. So authentication devices are more convenient to use, right?
From the point of view of management, it is also easy to manage, since all you have to do is manage physical devices.
If your company doesn't have company-issued smartphones, it's uneasy to put one-time password information on your smartphone from a security perspective. But if it's a physical device, it's possible to hand over the device to the user only when necessary.
If you have a FIDO authentication device such as YubiKey, why not give it a try?
You can purchase YubiKeys and other authentication devices we sell from the following sites.
For a quote, please contact us using the inquiry form.
YubiKey Shop (Authorized Reseller)
Amazon
Contact
Thank you for reading to the end.