top of page
Blog article

Blog article

Multi-factor Authentication Login to AWS Management Console with YubiKey

Logging in to the AWS Management Console supports multi-factor authentication (MFA).

One-time passwords (TOTP) that can be used on smartphones such as Google Authenticator are often used, but authentication devices such as YubiKey can also be used.


Click here to purchase a YubiKey





This article introduces how to set up multi-factor authentication login to the AWS management console using YubiKey.

Unlike one-time passwords, you don't have to worry about entering passwords, so I think this is more convenient to use.


Previously, only one device could be set per user, but now it is possible to set multiple devices.

AWS has changed its specification over time.


Any authentication device that supports FIDO can be used. Currently, FIDO2 is the latest standard when it comes to FIDO, but AWS uses U2F (FIDO1 in a nutshell) function among FIDO. Therefore, slightly older FIDO keys such as YubiKey 4 can also be used.

I would like it to support FIDO2 if possible.


Table of Contents


Now let's set up multi-factor authentication.


 

Prepare for Setting


Multi-factor authentication can be set by logging in to the AWS console and setting it yourself, or by an administrator user setting for another user.


This time, I will introduce the procedure to set it as an IAM user.


To configure settings for another user, log in to the AWS console as a administrator user. Open "User" settings in "IAM", select target user, amd click "Muti-factor authentication (MFA)" in "Authentication information" to set up authentication device registration in the same way as in the article.

For the setting, the operating IAM user must have permission to set up multi-factor authentication. If you do not have the authority, set the authority in advance as necessary.


Permission to register for multi-factor authentication

iam:EnableMFADevice


Permission to delete registered multi-factor authentication

iam:DeactivateMFADevice


 

Registration Setting Procedure


The following steps are performed in the following environment.


Browser: Edge 109.0.1518.70

Authentication Device: YubiKey 5 NFC


First, log in to the AWS console as usual.

After logging in, click your name in the top right, then click "Security credentials".

セキュリティ認証情報を選択

Click the "Assign MFA device" button under "Multi-factor authentication (MFA)".

MFAデバイスの割り当て設定

Enter any device name, select "Security Key" and click "Next".

MFAデバイスの設定

Security key setup will start.

Click "OK" to proceed.

セキュリティーキーのセットアップポップアップ

Then click "OK".

セットアップの続行ポップアップ

If the YubiKey is not connected to USB, you will be prompted to do so.

セキュリティキーの接続要求

Connect your YubiKey to a USB port.

YubiKeyをUSBに接続

After connecting the YubiKey, you will be prompted for a PIN.

PINの入力

In the case of a fingerprint type authentication device, a fingerprint verification will be asked instead of PIN input.
Also, PIN input will not be displayed for FIDO authentication devices that do not support PIN or fingerprints(※).
※ Slightly old devices that do not support FIDO2 (U2F only), such as YubiKey 4.

A message will appear asking you to touch your YubiKey.

セキュリティキーのタッチ要求

The letter "Y" of the connected YubiKey will light up, so touch it.


YubiKeyにタッチ

登録が完了するとこのようなメッセージが表示されます。

登録完了メッセージ

Looking at the contents, it seems that up to 8 authentication devices can be registered.

※ After registering a maximum of 8 devices, the "Assign MFA device" button will be disabled.


The added key will be displayed in the list.

When I thought: "Where can I check the entered device name?", it was included in the "Identifier".


The setting is completed.

You will now have multi-factor authentication on your next login.


 

Login Confirmation Procedure


Sign out once, and try to use the YubiKey when logging in.

Display the login screen of the AWS console.

Enter your username and password to sign in.

追加の検証としてセキュリティキーのタッチ要求

You will be asked to connect a security key as additional verification.


When you connect the YubiKey to USB, you will be asked to touch your key.

You will not be asked to enter a PIN when logging in. It's how U2F works.

追加の検証としてセキュリティキーのタッチ要求

Touch your YubiKey.

YubiKeyにタッチ

If the authentication is successful, the console screen will open.

ログイン成功画面

You were able to successfully log in with multi-factor authentication using YubiKey.


 

Register Other Authentication Devices


I used YubiKey5 NFC in the procedure, but you can use any authentication device that supports FIDO.

I will try to register with other authentication devices sold by our company.


YubiKey Bio (Yubico)

YubiKey Bio










※ My YubiKey Bio is Type C, but I don't have a Type C connection port on my PC, so I used a USB adapter.

YubiKey Bio is a device that can perform FIDO2 biometric authentication (fingerprint).


Idem Key (GoTrust)

IdemKey











Idem Key is an authentication device that sets a FIDO2 PIN, just like YubiKey5 NFC.


ATKey.Pro (AUTHENTREND)

ATKey.Pro











ATKey.Pro is an authentication device that can perform FIDO2 biometric authentication (fingerprint).


YubiKey4 (Yubico)

YubiKey4










YubiKey4 is a U2F device. ※ Currently not available.


All of these authentication devices could be used.


From here on, it's a small story level, but the operation at the time of registration and authentication differs slightly depending on the device.

The authentication devices tested this time can be divided into the following types:


FIDO2 (PIN) …YubiKey5 NFC, Idem Key, etc.

FIDO2 (biometric authentication) …YubiKey Bio, ATKey.Pro, etc.

FIDO U2F …YubiKey4, etc.


And the behavior for each type is as follows:

At registration:

FIDO2 (PIN): Touch after entering a PIN

FIDO2 (biometric authentication): biometric check + touch

FIDO U2F: touch only


At authentication:

FIDO2 (PIN): touch only

FIDO2 (biometric authentication): biometric check + touch

FIDO U2F: touch only


Since the implementation on the AWS side is U2F, if the authentication device used is FIDO2, the behavior seems to change little by little.

 

Summary


By setting up multi-factor authentication using YubiKey, you can log in more securely and easily.


As I wrote at the beginning, the one-time password (TOTP) is convenient because it can be used with a smartphone. But as the number of IDs to be used increases, it becomes difficult just to search for the right ID. And it is surprisingly troublesome to enter the TOTP each time. So authentication devices are more convenient to use, right?


From the point of view of management, it is also easy to manage, since all you have to do is manage physical devices.

If your company doesn't have company-issued smartphones, it's uneasy to put one-time password information on your smartphone from a security perspective. But if it's a physical device, it's possible to hand over the device to the user only when necessary.


If you have a FIDO authentication device such as YubiKey, why not give it a try?


You can purchase YubiKeys and other authentication devices we sell from the following sites.

For a quote, please contact us using the inquiry form.


YubiKey Shop (Authorized Reseller)


Amazon


Contact


Thank you for reading to the end.

Comments


bottom of page