AWS has recently announced two new security features. First, passkeys can now be used for multi-factor authentication (MFA) for root and IAM users, providing additional security beyond just a username and password. Second, AWS now requires MFA for root users, starting with the root user account in an AWS Organization. This requirement will be expanded to other accounts throughout the year.
Sébastien Stormacq, principal developer advocate at AWS, discussed these announcements related to MFA in a blog post. Stormacq stated that a passkey, used in FIDO2 authentication, is a pair of cryptographic keys created on your device when you sign up for a service or website. It consists of two linked cryptographic keys: a public key stored by the service provider and a private key stored securely on your device (like a security key) or synced across your devices through services like iCloud Keychain, Google accounts, or password managers like 1Password.
As another part of the security-related announcement, Stormacq mentioned that AWS is now enforcing multi-factor authentication (MFA) for root users on certain accounts. This initiative, initially announced last year by Amazon's chief security officer Stephen Schmidt, aims to enhance security for the most sensitive accounts.
AWS has initiated this rollout gradually, starting with a limited number of AWS Organizations management accounts and expanding over time to encompass most accounts. Users without MFA enabled on their root account will receive a prompt to activate it upon login, with a grace period before it becomes mandatory.
To enable passkey MFA, users will need to access the IAM section of the AWS console. After selecting the desired user, locate the MFA section and click "Assign MFA device". It's important to note that enabling multiple MFA devices for a user can improve account recovery options.
Source: AWS adds passkey multi-factor authentication (MFA) for root and IAM users
Next, name the device and select "Passkey or security key". If a password manager with passkey support is in use, it will offer to generate and store the passkey. Otherwise, the browser will provide options (depending on the OS and browser). For example, on a macOS machine using a Chromium-based browser, a prompt to use Touch ID to create and store the passkey within the iCloud Keychain is presented. The experience from this point onward varies based on the user's selections.
Source: AWS adds passkey multi-factor authentication (MFA) for root and IAM users
In a Reddit discussion regarding the announcement, one of the users noted a potential discrepancy: related to the release documentation mentioning Identity Center over IAM, but the newly-added Passkey support did not appear to extend to Identity Center. The discussion in the thread further concluded that the release primarily added support for FIDO2 Platform Authenticators (Passkeys) in addition to existing support for Roaming Authenticators (security keys).
Passkeys for multi-factor authentication are currently available for AWS users in all regions except China. Additionally, the enforcement of multi-factor authentication for root users is in effect in all regions except the two China regions (Beijing and Ningxia) and AWS GovCloud (US), as these regions operate without root users.