AWS Official Blog

New – AWS Virtual (Software) Multi-Factor Authentication – RFC 6238 Support

by Jeff Barr | on | in AWS IAM | | Comments

As you might already know, you can enable AWS Multi-Factor Authentication (MFA for short) for your AWS account and your Identity and Access Management (IAM) users to provide an additional level of security. Once you have enabled MFA for an account or IAM user, you need to enter an authentication code in addition to your user name and password to sign in to the AWS Management Console or AWS Portal, providing additional security above and beyond that offered by the usual password authentication.

We support hardware MFA devices, which you can purchase to generate your MFA authentication codes. These familiar keyfob devices are used by many corporations and financial services companies, and are a great option if your IT security policies mandate the use of hardware MFA devices.

Today we are pleased to announce that we are introducing an additional option, the Virtual MFA device. You can now generate MFA authentication codes on your smartphone or tablet. You can use our new AWS Virtual MFA Android app, or you can use any application that supports the OATH TOTP (Time-based One-Time Password) protocol, also known as RFC 6238 for you IETF geeks. So regardless of whether you prefer the convenience, flexibility, and economy (as in free) of a virtual MFA device, or the time-tested hardware MFA device, we’ve got you covered.

You can download the AWS Virtual MFA application from the Amazon Appstore for Android or from Google’s Android Market. After you have installed the app (or, alternatively, one from this list), you can login in to the AWS Management Console and set it up. Here’s a walk-through:

The AWS Account Credentials section on the IAM Dashboard section of the AWS Management Console allows you to manage the MFA (if any) associated with the account or a particular IAM user. Let’s step through the workflow needed to set this up for the account (the IAM user workflow is very similar):

To manage MFA for an IAM user, select the user and then select the Security Credentials tab:

You can choose to activate a Virtual MFA device or a hardware MFA device:

If you choose to activate a Virtual MFA Device, you must first install a compatible application (we’ll include a list of such applications on the AWS site):

If your device has the ability to scan QR codes, you can create a Virtual MFA device by pointing the camera at the AWS Management Console screen (if you can’t scan, you can choose to display the secret key and then enter it manually):

Once you have done this, you must click on the enable link, and then enter two consecutive authentication codes:

And that’s all there is to it. Once you have enabled the Virtual MFA device, you will log in to the AWS portal and the AWS Management Console using your email address (or IAM user for the console), password, and the current authentication code from the device:

To get started, download our Android app or read more about Multi-Factor Authentication.

 — Jeff;