Amazon Computer Services
What is Multi-Factor Authentication (MFA)?
MFA stands for Multi-Factor Authentication. It is an additional layer of security protection for user authentication that need users to enter a six-digit symbol on top of the username and password. It can be empowered for single IAM users. It is a best practice to empower MFA for all users.
It includes an additional layer of protection on top of the username and password. When it is empowered, the user requires to enter unique six-digit authentication code from an endorsed authentication source (that is hardware or software-based) or an SMS text message while getting the AWS Management Console.
MFA can be authorized for both types of users: an individual console login just an application’s automatic calls to the AWS. It can also be authorized for the root user.
MFA can be authorized in one of the following ways:
- Security token with hardware or software
- SMS text message-based
Security token-based MFA
While it comes to security token-based MFA, there are two options applicable, hardware-based or software/virtual (that is, mobile application based). Hardware-based security tokens can be purchased from an authorized vendor, and a virtual security token software can be installed on smartphones. A hardware-based MFA token device can look something like this:
For authorizing MFA tokens on an IAM user, MFA hardware or software applications require to be registered with an IAM user. Once it is registered with either a hardware device or software application, it supports generating six-digit numeric code based on time synchronization one-time password algorithm.
It shows up for 30 seconds and continues evolving. It is empowering MFA increases a security layer. If username and password fall into an unauthorized person’s hands, still the person cannot misuse it without an MFA token. MFA token continues pivoting the symbol, and it is created only through a synchronized MFA device for that specific IAM user.
Steps for enabling a virtual MFA device for a user
The following steps represent how to enable MFA for a user:
- Log in to the AWS console.
- Go to the IAM dashboard.
- Select Users from the left pane and click on a user as display in the following figure:
- Select the Security credentials icon as display in the following figure:
- Click on the edit button to edit the Assigned MFA device as display in the following figure:
- Select a virtual MFA device and click on the Next Stepbutton:
- From the following screen, click on the link here as appeared in the following figure. It gives a list of AWS MFA compatible apps, provided for several mobile platforms. If we have already installed the Virtual MFA Applications, we can tab on Next Step and continue to step 9.
- We can download the Virtual MFA Applications from our particular device application store. It supported applications for multiple platforms are specified in the following figure. We can close this data window to go back to the previous screen as specified in the previous figure and click on Next Step.
- It is decided whether the MFA app provides QR codes, and thus do one of the subsequent:
It can use our mobile application for scanning the QR code. It depends upon the software that we use, and we can have to select camera icon or some same option. Following, we need to use the device camera for scanning the code.
In the Manage MFA Device wizard, select Show secret key for manual configuration, and therefore type the secret configuration key into our MFA application.
When we are done, the virtual MFA device begins generating one-time passwords.
- As display in the following figure, we need to type a one-time password in the Authentication Code 1 box. We can use the one-time password given in the virtual MFA device. Earlier we can enter the second one-time password in the Authentication Code 2 box, and we want to wait for approximately 30 seconds.
After a waiting period, the device generates another one-time password. We can use the fresh one-time password again and enter it into the Authentication Code 2 box. Following, we can select Activate Virtual MFA.
Now our virtual MFA device is prepared for use. When a user for whom the MFA token is authorized, tries to log in to the AWS console, AWS represents an MFA token challenge after authenticating a user with a valid user ID and password.
SMS text message–based MFA
To enable SMS text message-based MFA, we require to configure the IAM user with the user’s phone number to get SMS messages. While a user tries to log in by supporting a valid username and password, it requests the six-digit numeric code sent from AWS to the user’s mobile number as an SMS. This MFA system can be used only for IAM users and not for the root user. Also, at present SMS-based MFA can be used only for signing in to an AWS Management Console. It cannot be used with API or CLI calls.