An additional layer of protection, once reserved for banks and large enterprises, is now available to protect your AWS account from unauthorized use. This should be especially attractive to our enterprise-level customers, but we expect customers of all types to value the additional security.
Once activated for your AWS account, our new Amazon Multi-Factor Authentication (MFA) feature requires you to provide a second piece of information (an authentication code) in order to log in to the AWS Portal and the AWS Management Console.
To activate this feature, you must first purchase an authentication device
here. Once you have the device in-hand you can activate it for your AWS account using the AWS portal. From that point forward, you will need to provide your password and the authentication code from the device in order to log in.
The devices are small, lightweight, and long-lasting. Fraudulent usage becomes much more difficult because a successful login combines something you know (your email address and password) with something you have (the authentication device).
We are following the OATH reference architecture for time-based one-time passwords. In this model, the authentication device contains a very accurate clock. Once synchronized to your AWS account, the device displays a new set of pseudo-random digits every 30 seconds. The digit stream is based on the current time and the device's unique serial number.
Once you purchase an authentication device from one of our participating third-party vendors, use of MFA is free. Each device works with a single AWS account and each AWS account accommodates at most one device.
-- Jeff;
Presumably this doesn't work for automated deployment tooling that is designed to work without a person nearby? Or can you have the (remote) management tooling use one of these to authenticate without someone being around to read the display?
Posted by: Steve Loughran | September 01, 2009 at 01:13 AM
Hi,
The option of multi-factor authentication is great. However, the limitation that each AWS account accommodates at most one device is a bit of an issue. Some redundancy is good in this scenario, so it would be good to have at least 2 devices.
Further, I notice that the page where the device is sold says "Only orders with a US shipping address will be accepted at this time." Once again, EU customers have to wait. ;)
Best,
Ismael
Posted by: Ismael Juma | September 01, 2009 at 02:14 AM
Great news, i would also love to use the same MFA on regular Amazon and/or Checkout by Amazon Purchases.
Also, instead of just providing a hardware token based MFA method, wouldn't it be great if you could enable MFA using a soft token (perhaps as an iPhone or other Mobile App)?
Posted by: hitech | September 01, 2009 at 11:38 AM
Why would you use a fob to generate the OTP when you can get it much easier though a e-mail or SMS like the Validus SMS product does??? We also have a free-otp site for developers?
Posted by: Andrew Stewart | September 02, 2009 at 11:56 AM
Hello,
I am getting a lot of inquires about our OTP via SMS product and our OTP card that has a form factor of a driving license. Here is the portal for all the information. You will need to register here first.
http://portal.validustech.com/register
In the portal are white papers, code samples, best practices, security models, video, presentations etc oriented around OTP these will help you with your AMI and AWS authentication.
Here is the developer's site for OTP
http://www.free-otp.com/
Andrew@validustech.com
Best wishes Andy
Posted by: Andrew Stewart | September 02, 2009 at 02:52 PM