AWS has added support for FIDO2 passkeys, a passwordless authentication method under the Fast Identity Online (FIDO) framework, for multifactor authentication — and will soon make MFA mandatory for signing in to AWS accounts.

“Beginning in July 2024, root users of standalone accounts — those that aren’t managed with AWS Organizations — will be required to use MFA when signing in to the AWS Management Console,” Arynn Crow, senior manager for user authentication products at AWS, said at the company’s re:Inforce event on Tuesday. “Just as with management accounts, this change will start with a small number of customers and increase gradually over a period of months,” she said.

AWS will allow customers a grace period to enable MFA which will be displayed as a reminder at sign-in.

AWS will enforce MFA use by year end

Presently, and as the first leg of its MFA enforcement program, AWS only imposes MFA on the ‘management account’ root users of AWS Organizations, a policy-based account management service that consolidates multiple AWS accounts into an ‘organization’, when they sign into AWS console.

It was in October 2023 that it first announced the coming expansion of the MFA mandate to standalone AWS root users, promising features that will “make MFA even easier to adopt and manage at scale”.

The changes do not apply — yet — to the ‘member accounts’ of AWS Organizations, Crow said on Tuesday. Member accounts are accounts other than the management account used to create and manage the “organization”.

AWS has plans to launch additional features later this year to help customers manage MFA for larger number of users, such as the member accounts in AWS Organization.

Passkeys for phishing-resistant authentication

To ease the pain of having to use a second authentication factor to log in, Crow said AWS will support the use of FIDO2 passkeys.

These are more secure than one-time passwords or password-based MFA methods, according to Crow.

Passkeys are considered to be phishing-resistant as they are based on public key cryptography. After a user creates a passkey with a site or application, a private-public key pair is generated on the user’s device. While the public key is accessible through the site or application, it is useless in the hands of a threat actor without the private key.

Using a passkey for signing in is largely automatic, requiring no typing or entry, and is inherently more secure. This is because passkeys do not involve extra steps or codes that could be susceptible to theft, phishing, or interception if handled improperly.

Syncable passkeys, an implementation of the FIDO2 standard, allows for the passkeys to be shared across devices and operating systems once generated on a device. This is better as it will allow passkeys to be backed up and synced across devices, unlike storing in a physical device like a USB-based key, Crow explained.

“Customers already use passkeys on billions of computers and mobile devices across the globe, using only a security mechanism such as a fingerprint, facial scan, or PIN built into their device,” Crow added. “For example, you could configure Apple Touch ID on your iPhone or Windows Hello on your laptop as your authenticator, then use that same passkey as your MFA method as you sign in to the AWS console across multiple other devices you own.”