Ask HN: AWS registering MFA will be required in 29 days
Hi folks,
When signing into our AWS console this morning we noticed this security popup - "Registering MFA will be required in 29 days".
Below the notice is a list of options for registering for MFA, and I quote:
> 1. Passkey or Security key: Authenticate using your fingerprint, face, or screen lock. Create a passkey on this device or use another device, like a FIDO2 security key.
> 2. Authenticator app: Authenticate using a code generated by an app installed on your mobile device or computer.
> 3. Hardware TOTP Token: Authenticate using a code generated by hardware TOTP token or other hardware devices.
Perhaps this is a dumb question, but why can't we just use email for 2FA? (or maybe there is a way and we've just missed it?)
If email 2FA is not an option, which of the above 3 options would you recommend to minimise hassle?
(Option 1 looks simple but sounds like it's limited to individual devices? Option 2 - the idea of installing an app - irks us. With option 3 would we each need a hardware token?)
Any guidance would be appreciated. Thanks.
First of all, 2FA is a jolly good idea in terms of preventing account hijackings; relying on email/SMS (texts) introduces multiple hazards that can reverse 2FA's net benefit.
One configuration some people use is the KeePass desktop password manager, which supports storing TOTP seeds and has a nice UX for generating tokens; the password database file may be located as you see fit on a hard drive, DOK, cloud drive etc. Example of TOTP config for KeePass:
https://www.fhtino.it/docs/keepass-totp--intro/
Also, Keepass2Android can be used in similar vein from Android devices. iOS equivalents seem to exist as well.
I'd go with number 2 unless you want to buy everyone a hardware token (option number 3).
There are open source solutions (I've used https://2fas.com/ ) and very common solutions (Google Authenticator).
You can even print out the QR code and put it in a secure location (safe, safe deposit box) as a break-glass in case everyone's phones cease functioning.
We all have the gmail app installed on our phones - is this something we could tap into for Google Authenticator?
Forgive the ignorant questions, as you can tell we're pretty new to this stuff.
Kinda wish we could just use simple email 2FA to be honest!
Thanks for the reply.
I use Google's Authenticator for this - you should be fine with that.
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credenti...
No worries. Google Authenticator is entirely separate from gmail. I think you there was a sibling comment that linked to the AWS docs.
As far as I know, you don't even have to have a google account to use Google Authenticator in many use cases. (You do if you want to back up your secrets.)
Ok great thanks for clarifying all that ^_^
At Linux, I manage local 2FA with Numberstation GUI. It can import export.
sudo apt install numberstation
I manage passwords with KeepassXC
sudo apt install keepassxc
There is also newer version with additional features:
https://github.com/keepassxreboot/keepassxc
Thank you these are some really helpful tips ^_^
Thanks for posting this. I'm going to link back to this whenever anyone claims that using AWS/etc means you don't need any experienced infrastructure/ops people.
As for the actual question: what browser/password manager in 2024 doesn't support both options 1 and 2?
To answer your question in your second line I'd have to refer back to your first line with a chuckle...
I wish there were a simple step-by-step guide for (example) how to set up MFA in AWS using my browser/password manager. As in, an ELI5 explanation. Gosh that would help demystify this stuff! Not that it's mysterious or anything... but for the uninitiated it's a bit of a steep learning curve!
For passkeys, your password manager should prompt you to save them if it supports them.
For the authenticator (TOTP), you just save a QR code where it tells you. Just google "TOTP <your password manager>" and I'm sure you will find a guide
Personally I would do all of them.
I would make a passkey and stick it in Bitwarden so I have it with me on all my devices.
I would link my account to my authenticator app.
Then I would also register my yubikey I keep on my keychain.
It sounds like you have experience with all 3 options, in which case may I ask:
If you had to pick 1, which of the 3 options is the most streamlined / causes you the least amount of hassle?
We're a relatively small dev team (~5 people) if that influences the answer in any way.
Thanks for the tips!
Least amount of hassle is probably a passkey in your password manager, if it supports it.
Passkeys are the quickest way to sign in.
Don't use a passkey on your computer, otherwise you will only be able to sign in from that computer.
If you find yourself struggling with passkeys, then the "authenticator" route is next best.
This just gives you a QR code, which you can also store in your password manager and have it generate one time codes.
If you have an authenticator app on your phone, you can rescan that same QR code to have the codes both places. (password manager and authenticator app)
> Don't use a passkey on your computer, otherwise you will only be able to sign in from that computer.
This is only true if you don't use a password manager which syncs passkeys.