Ref: https://learn.cantrill.io/courses/1820301/lectures/41301460
DEMO: https://learn.cantrill.io/courses/1820301/lectures/63972846
Why is MFA needed?
- Web-based authentication usually based on usernames and passwords
- ❗ If leaked, anyone can impersonate you!
- 🔧 Factors = different pieces of evidence which prove identity
- Types:
- Knowledge - something you know (username + password…)
- Possession - something you have (bank card, MFA device/app, U2F key…)
- Inherent - something you are (fingerprint, face scan…)
- Location - where you are (geo coordinates, NW/IP address…)
- Trade-off: security ↔ convenience
- More factors means more security and harder to fake
- …but the more factors we use, the more time & effort it takes to authenticate
- Types of authentication based on number of factors:
- SFA/1FA (Single/One-Factor Authentication) = use only one factor
- 2FA (Two-Factor Authentication) = use two factors
- MFA (Multi-Factor Authentication) = use more than one factor
MFA in AWS
- One can activate MFA for a user (e.g. account root user, or
IAMADMIN user)
- AWS generates secret key + additional information (normally in a QR code)
- Information must be entered into an MFA device/app e.g. Google Authenticator
- You can also use passkeys and password managers (1Password, Proton Pass…) as your second factor of authentication
- Once set, the MFA code in the device/app will refresh periodically
- When authenticating to the AWS account, both the credentials (username + password) as well as the current MFA code will be asked → increased security
DEMO: Securing an AWS Account with MFA
Ref: https://learn.cantrill.io/courses/1820301/lectures/63972846
- Account drop-down menu > Security credentials > Assign MFA
- Select “Authenticator App” as MFA device & follow steps
- Any authenticator app works (Google Authenticator, Authy, 1Password…)