Add a layer of security for AWS IAM Identity Center user portal sign-in with context-aware email-based verification

September 12, 2022: This blog post has been updated to reflect the new name of AWS Single Sign-On (SSO) – AWS IAM Identity Center. Read more about the name change here.

If you’re an IT administrator of a growing workforce, your users will require access to a growing number of business applications and AWS accounts. You can use AWS IAM Identity Center to create and manage users centrally and grant access to AWS accounts and business applications, such as such Salesforce, Box, and Slack. When you use AWS IAM Identity Center, your users sign in to a central portal to access all of their AWS accounts and applications. Today, we launched email-based verification that provides an additional layer of security for users signing in to the AWS IAM Identity Center user portal. AWS IAM Identity Center supports a one-time passcode (OTP) sent to users’ email that they then use as a verification code during sign-in. When enabled, AWS IAM Identity Center prompts users for their user name and password and then to enter a verification code that was sent to their email address. They need all three pieces of information to be able to sign in to the AWS IAM Identity Center user portal.

You can enable email-based verification in context-aware or always-on mode. We recommend you enable email-based verification in context-aware mode for users created using the default AWS IAM Identity Center directory. In this mode, users sign in easily with their username and password for most sign-ins, but must provide additional verification when their sign-in context changes, such as when signing in from a new device or an unknown location. Alternatively, if your company requires users to complete verification for every sign-in, you can use always-on mode.

In this post, I demonstrate how to enable verification in context-aware mode for users in your IAM Identity Center directory using the AWS IAM Identity Center console. I then demonstrate how to sign into the AWS IAM Identity Center user portal using email-based verification.

Enable email-based verification in context-aware mode for users in your IAM Identity Center directory

Before you enable email-based verification, you must ensure that all your users can access their email to retrieve their verification code. If your users require the AWS IAM Identity Center user portal to access their email, do not enable email-based verification. For example, if you use AWS IAM Identity Center to access Office 365, then your users may not be able to access their AWS IAM Identity Center user portal when you enable email-based verification.

Follow these steps to enable email-based verification for users in your IAM Identity Center directory:

1. Sign in to the AWS IAM Identity Center console. In the left navigation pane, select Settings, and then select Configure under the Two-step verification settings.
2. Select Context-aware under Verification mode, and Email-based verification under Verification method, and then select Save changes.
    
   
   

   Figure 1: Select the verification mode and the verification method

3. Before you choose to confirm the changes in the Enable email-based verification window, make sure that all your users can access their email to retrieve the verification code required to sign in to the AWS IAM Identity Center user portal without signing in using AWS IAM Identity Center. To confirm your choice, type CONFIRM (case-sensitive) in the text-entry field, and then select Confirm.
    
   
   

   Figure 2: The “Enable email-based verification” window

You’ll see that you successfully enabled email-based verification in context-aware mode for all users in your AWS IAM Identity Center directory.
 

Figure 3: Verification of the settings

Next, I demonstrate how your users sign into the AWS IAM Identity Center user portal with email-based verification in addition to their username and password

Sign-in to the AWS IAM Identity Center user portal with email-based verification

With email-based verification enabled in context-aware mode, users use the verification code sent to their email when there is a change in their sign-in context. Here’s how that works:

1. Navigate to your AWS IAM Identity Center user portal.
2. Enter your email address and password, and then select Sign in.
    
   
   

   Figure 4: The “IAM Identity Center” window

3. If AWS detects a change in your sign-in context, you’ll receive an email with a 6-digit verification code that you will enter in the next step.
    
   
   

   Figure 5: Example verification email

4. Enter the code in the Verification code box, and then select Sign in. If you haven’t received your verification code, select Resend email with a code to receive a new code, and be sure to check your spam folder. You can select This is a trusted device to mark your device as trusted so you don’t need to enter a verification code unless your sign-in context changes again, such as signing in from a new browser or an unknown location.
    
   
   

   Figure 6: Enter the verification code

The user can now access AWS accounts and business applications that the administrator has configured for them.

Summary

In this post, I shared the benefits of using email-based verification in context-aware mode. I demonstrated how you can enable email-based verification for your users through the IAM Identity Center console. I also showed you how to sign into the AWS IAM Identity Center user portal with email-based verification. You can also enable email-based verification for IAM Identity Center users from your connected AD directory by following the process outlined above.

If you have comments, please submit them in the Comments section below. If you have issues enabling email-based verification for your users, start a thread on the AWS IAM Identity Center forum or contact AWS Support.

Want more AWS Security how-to content, news, and feature announcements? Follow us on Twitter.