As you might already know, you can enable AWS Multi-Factor Authentication (MFA for short) for your AWS account and your Identity and Access Management (IAM) users to provide an additional level of security. Once you have enabled MFA for an account or IAM user, you need to enter an authentication code in addition to your user name and password to sign in to the AWS Management Console or AWS Portal, providing additional security above and beyond that offered by the usual password authentication.
We support hardware MFA devices, which you can purchase to generate your MFA authentication codes. These familiar keyfob devices are used by many corporations and financial services companies, and are a great option if your IT security policies mandate the use of hardware MFA devices.
Today we are pleased to announce that we are introducing an additional option, the Virtual MFA device. You can now generate MFA authentication codes on your smartphone or tablet. You can use our new AWS Virtual MFA Android app, or you can use any application that supports the OATH TOTP (Time-based One-Time Password) protocol, also known as RFC 6238 for you IETF geeks. So regardless of whether you prefer the convenience, flexibility, and economy (as in free) of a virtual MFA device, or the time-tested hardware MFA device, we've got you covered.
You can download the AWS Virtual MFA application from the Amazon Appstore for Android or from Google's Android Market. After you have installed the app (or, alternatively, one from this list), you can login in to the AWS Management Console and set it up. Here's a walk-through:
The AWS Account Credentials section on the IAM Dashboard section of the AWS Management Console allows you to manage the MFA (if any) associated with the account or a particular IAM user. Let's step through the workflow needed to set this up for the account (the IAM user workflow is very similar):
To manage MFA for an IAM user, select the user and then select the Security Credentials tab:
You can choose to activate a Virtual MFA device or a hardware MFA device:
If you choose to activate a Virtual MFA Device, you must first install a compatible application (we'll include a list of such applications on the AWS site):
If your device has the ability to scan QR codes, you can create a Virtual MFA device by pointing the camera at the AWS Management Console screen (if you can't scan, you can choose to display the secret key and then enter it manually):
Once you have done this, you must click on the enable link, and then enter two consecutive authentication codes:
And that's all there is to it. Once you have enabled the Virtual MFA device, you will log in to the AWS portal and the AWS Management Console using your email address (or IAM user for the console), password, and the current authentication code from the device:
To get started, download our Android app or read more about Multi-Factor Authentication.
-- Jeff;
can't find it on google market, is it available in all countries?
Posted by: Aljosa Mohorovic | November 02, 2011 at 05:21 PM
If I understand correctly, Google Authenticator also supports OATH TOTP... and works on the iPhone today. Has anyone tested this? (I'm an Android kind of guy, myself, so I can't test explicitly on iOS.)
Excited about this, thanks!
Andy
Posted by: Andrew Leonard | November 02, 2011 at 09:03 PM
Ah, just found the list (which does include Google Authenticator on iOS): http://aws.amazon.com/mfa/virtual_mfa_applications/
Andy
Posted by: Andrew Leonard | November 02, 2011 at 09:09 PM
And iOS...? :-)
Posted by: Joshua | November 03, 2011 at 12:02 AM
Can't seem to enable the Gemalto key fob and virtual MFA at the same time :(
Posted by: cynix | November 03, 2011 at 04:53 AM
I have tested on iOS (ipad and iphone) with google authenticator app
great feature!!!!
Posted by: Antonio José Ramos Márquez | November 03, 2011 at 08:07 AM
Tested on iPhone 4 with Google Authenticator... works great! So happy not to have to carry around another plastic blob in my pocket. Thanks AWS!
Posted by: D | November 03, 2011 at 05:01 PM
This is amazing. We where planning on equipping all users with a gemalto device but we're so happy not to have to carry around a device!
We want to protect our main account (not IAM user) with MFA but we can't since several people needs access to usage reports and billing stuff. It would be fabulous if we could add several MFA for that account or even better if IAM users could get access to the account-level stuff.
Keep up the great work!
Posted by: Markus Olsson | November 04, 2011 at 09:14 AM
I have written a Java Virtual Token which supports TOTP and works with Amazon MFA or Google 2-way verification. It is called et-otp and you can find the project (source+binary) here: http://ecki.github.com/et-otp/
It is tested with Amazon and Google on Windows 7, but should run on any Java 6 Desktops.
BTW: on the virtual token page of Amazon is a link to motp solutions. I think most of them do not work with TOTP, at least the ones I checked for Windows did not (and thats why I wrote my own).
Greetings
Bernd
Posted by: Bernd Eckenfels | November 22, 2011 at 08:29 PM
Is there a way to give users the rights to enable their own MFA? I assume its some of the IAM actions, but I'm stumped.
Posted by: David Dolgin | August 14, 2012 at 06:00 PM