Posted On: Nov 23, 2020

AWS Single Sign-On (SSO) administrators can now require users to self-enroll multi-factor authentication (MFA) devices during sign-in. For your users without a registered MFA device, you can require them to complete a self-guided MFA enrollment process following a successful password authentication. This allows administrators to secure their organization’s AWS environments with MFA without having to individually enroll and distribute authentication devices to users.

During self-enrollment, users can register any device from the available MFA methods enabled by their administrator. After completing registration, users have the option to give their newly enrolled MFA device a friendly name, after which AWS SSO redirects the user to their original destination. Administrators can enable any supported MFA method, including one-time password (OTP) based authenticator apps, such as Google Authenticator, FIDO-enabled security keys like YubiKey, or built-in authenticators for Android, iOS, Windows, and macOS platforms. By requiring MFA self-enrollment, you can ensure compliance and simplify administrator tasks such as enrolling and distributing MFA devices, or reminding users to register their MFA device. If the user’s device is lost or stolen, you can simply remove that device from their account, and AWS SSO will require them to self-enroll a new device during their next sign-in.

This feature, along with all other AWS SSO MFA capabilities, are available when using AWS SSO or Active Directory as your identity source. To learn how to enable this feature easily through the AWS SSO admin console, see the AWS SSO User Guide.

It is easy to get started with AWS SSO. With just a few clicks in the AWS SSO management console you can create users in AWS SSO or connect your existing identity source, configure MFA to secure access to all of your AWS Organizations accounts and hundreds of pre-integrated cloud applications, and provide your users simple access through a single user portal. To learn more, please visit AWS Single Sign-On.

There is no cost for AWS SSO, and it is available in the US East (N. Virginia), US East (Ohio), US West (Oregon), Canada (Central), Asia Pacific (Singapore), Asia Pacific (Sydney), Asia Pacific (Seoul), Asia Pacific (Tokyo), Asia Pacific (Mumbai), EU (Ireland), EU (Frankfurt), EU (London), and EU (Stockholm) Regions.