AWS Official Blog

Amazon Multi-Factor Authentication for AWS Accounts

by Jeff Barr | on | in Announcements |

An additional layer of protection, once reserved for banks and large enterprises, is now available to protect your AWS account from unauthorized use. This should be especially attractive to our enterprise-level customers, but we expect customers of all types to value the additional security.

Once activated for your AWS account, our new Amazon Multi-Factor Authentication (MFA) feature requires you to provide a second piece of information (an authentication code) in order to log in to the AWS Portal and the AWS Management Console.

To activate this feature, you must first purchase an authentication device here. Once you have the device in-hand you can activate it for your AWS account using the AWS portal. From that point forward, you will need to provide your password and the authentication code from the device in order to log in.

The devices are small, lightweight, and long-lasting. Fraudulent usage becomes much more difficult because a successful login combines something you know (your email address and password) with something you have (the authentication device).

We are following the OATH reference architecture for time-based one-time passwords. In this model, the authentication device contains a very accurate clock. Once synchronized to your AWS account, the device displays a new set of pseudo-random digits every 30 seconds. The digit stream is based on the current time and the device’s unique serial number. 

Once you purchase an authentication device from one of our participating third-party vendors, use of MFA is free. Each device works with a single AWS account and each AWS account accommodates at most one device.

– Jeff;