AWS Security Blog

Add a layer of security for AWS SSO user portal sign-in with context-aware email-based verification

If you’re an IT administrator of a growing workforce, your users will require access to a growing number of business applications and AWS accounts. You can use AWS Single Sign-On (AWS SSO) to create and manage users centrally and grant access to AWS accounts and business applications, such as such Salesforce, Box, and Slack. When you use AWS SSO, your users sign in to a central portal to access all of their AWS accounts and applications. Today, we launched email-based verification that provides an additional layer of security for users signing in to the AWS SSO user portal. AWS SSO supports a one-time passcode (OTP) sent to users’ email that they then use as a verification code during sign-in. When enabled, AWS SSO prompts users for their user name and password and then to enter a verification code that was sent to their email address. They need all three pieces of information to be able to sign in to the AWS SSO user portal.

You can enable email-based verification in context-aware or always-on mode. We recommend you enable email-based verification in context-aware mode for users created using the default AWS SSO directory. In this mode, users sign in easily with their username and password for most sign-ins, but must provide additional verification when their sign-in context changes, such as when signing in from a new device or an unknown location. Alternatively, if your company requires users to complete verification for every sign-in, you can use always-on mode.

In this post, I demonstrate how to enable verification in context-aware mode for users in your SSO directory using the AWS SSO console. I then demonstrate how to sign into the AWS SSO user portal using email-based verification.

Enable email-based verification in context-aware mode for users in your SSO directory

Before you enable email-based verification, you must ensure that all your users can access their email to retrieve their verification code. If your users require the AWS SSO user portal to access their email, do not enable email-based verification. For example, if you use AWS SSO to access Office 365, then your users may not be able to access their AWS SSO user portal when you enable email-based verification.

Follow these steps to enable email-based verification for users in your SSO directory:

  1. Sign in to the AWS SSO console. In the left navigation pane, select Settings, and then select Configure under the Two-step verification settings.
  2. Select Context-aware under Verification mode, and Email-based verification under Verification method, and then select Save changes.
     
    Figure 1: Select the verification mode and the verification method

    Figure 1: Select the verification mode and the verification method

  3. Before you choose to confirm the changes in the Enable email-based verification window, make sure that all your users can access their email to retrieve the verification code required to sign in to the AWS SSO user portal without signing in using AWS SSO. To confirm your choice, type CONFIRM (case-sensitive) in the text-entry field, and then select Confirm.
     
    Figure 2: The "Enable email-based verification" window

    Figure 2: The “Enable email-based verification” window

You’ll see that you successfully enabled email-based verification in context-aware mode for all users in your AWS SSO directory.
 

Figure 3: Verification of the settings

Figure 3: Verification of the settings

Next, I demonstrate how your users sign into the AWS SSO user portal with email-based verification in addition to their username and password

Sign-in to the AWS SSO user portal with email-based verification

With email-based verification enabled in context-aware mode, users use the verification code sent to their email when there is a change in their sign-in context. Here’s how that works:

  1. Navigate to your AWS SSO user portal.
  2. Enter your email address and password, and then select Sign in.
     
    Figure 4: The "Single Sign-On" window

    Figure 4: The “Single Sign-On” window

  3. If AWS detects a change in your sign-in context, you’ll receive an email with a 6-digit verification code that you will enter in the next step.
     
    Figure 5: Example verification email

    Figure 5: Example verification email

  4. Enter the code in the Verification code box, and then select Sign in. If you haven’t received your verification code, select Resend email with a code to receive a new code, and be sure to check your spam folder. You can select This is a trusted device to mark your device as trusted so you don’t need to enter a verification code unless your sign-in context changes again, such as signing in from a new browser or an unknown location.
     
    Figure 6: Enter the verification code

    Figure 6: Enter the verification code

The user can now access AWS accounts and business applications that the administrator has configured for them.

Summary

In this post, I shared the benefits of using email-based verification in context-aware mode. I demonstrated how you can enable email-based verification for your users through the SSO console. I also showed you how to sign into the AWS SSO user portal with email-based verification. You can also enable email-based verification for SSO users from your connected AD directory by following the process outlined above.

If you have comments, please submit them in the Comments section below. If you have issues enabling email-based verification for your users, start a thread on the AWS SSO forum or contact AWS Support.

Want more AWS Security how-to content, news, and feature announcements? Follow us on Twitter.

Ujjwal Pugalia

Ujjwal is the product manager for the console sign-in and sign-up experience at AWS. He enjoys working in the customer-centric environment at Amazon because it aligns with his prior experience building an enterprise marketplace. Outside of work, Ujjwal enjoys watching crime dramas on Netflix. He holds an MBA from Carnegie Mellon University (CMU) in Pittsburgh.