AWS is pushing ahead with MFA for privileged accounts. What that means for you ...

Heads up: Amazon Web Services is pushing ahead with making multi-factor authentication (MFA) mandatory for certain users, and we love to see it.

The cloud giant in October said it would start requiring MFA for its customers' most privileged users in 2024.

Indeed, we understand that since May this year, AWS has been gradually requiring MFA for management account root users in AWS Organizations, and this change is still rolling out.

And as stated during its annual re:Inforce security conference this month, AWS will from July begin requiring MFA for standalone account root users – those outside of AWS Organizations – when signing in to the AWS Management Console. Again, this will be a gradual roll-out, and other root user types are due to start facing this security requirement later this year. 

Once MFA is required for their account, customers will have a 30-day grace period to turn on multi-factor auth, Arynn Crow, AWS senior manager for user authentication product, told The Register, adding that the IT giant considers "MFA such an incredibly important part of our customer security strategy."

Especially in the post-COVID years, "we've observed an increase in credential-based attacks, particularly credential stuffing, credential spraying, and brute-force type of attacks," Crow said. "MFA is the single, simple, most effective tool that people have that they can deploy against these types of attacks."

If MFA is required, and not enabled within the grace period, the customer must register their MFA during their next sign-in or will not be able to proceed further.

For anyone who thinks MFA is an avoidable faff: May we suggest the recent Snowflake customer security breaches as proof. These include Pure Storage, Ticketmaster, and Santander bank – and more than 160 other companies that are wishing they had turned on MFA right about now.

According to Mandiant, the 165-plus orgs whose Snowflake databases were stolen – and then they were extorted by an unknown financially motivated crime crew – had one thing in common: they hadn't enabled MFA. 

"Of course, it's not the only tool that should be in your toolkit from a security perspective," Crow told The Register in an interview at re:Inforce. "But by and large, the most commonly increasing ones that we see are ones that MFA can actually mitigate and help enhance the security posture of your account."

The support for FIDO2 passkeys as an MFA method, also announced at the conference, should make it simple for AWS customers, she added.

• Microsoft, Google do a victory lap around passkeys
• Snowflake customers not using MFA are not unique – over 165 of them have been compromised
• 68 tech names sign CISA's secure-by-design pledge
• Orgs are having a major identity crisis while crims reap the rewards

Passkeys are based on a FIDO Alliance standard that's supported by Big Tech – including AWS, Apple, Microsoft, and Google – and they essentially replace passwords by using biometrics such as face or fingerprints, or device PINs, to verify users' identity.

By adding passkey support, AWS customers can now use Apple Touch ID on their iPhones, or Windows Hello on their laptops, as an authenticator – and then use that same passkey as an MFA method to sign in to their AWS console across multiple devices.

"I'm really excited about this particular milestone, because this is a usable, accessible form of security where we don't really have to trade off against that user experience anymore to have good security hygiene," Crow said. 

The move to passkeys follows similar efforts by Microsoft and Google over the past couple of months. It also builds on promises made at last month's RSA Conference by the three cloud giants, along with some of the other biggest names in tech, to make their products more secure within a year. ®