AWS Expands MFA Requirements with FIDO2 Passkeys Support

• AWS launches support for FIDO2 passkeys as a multi-factor authentication method.
• Users are urged to enable this type of strong authentication by the end of July.
• Adding passkeys provides enhanced security and user-friendly authentication. 

Amazon Web Services (AWS) announced launching support for FIDO2 passkeys as a method for multi-factor authentication (MFA), while reminding root users of standalone accounts that MFA must be enabled by the end of July 2024. The use of FIDO2 credentials is a highly safe and user-friendly option that balances usability and strong security and will be rolled out gradually.

According to the announcement, root users of accounts that aren’t managed with AWS Organizations will be required to use MFA when signing in to the AWS Management Console after July ends. A reminder at sign-in will also be displayed during a grace period. This change does not apply to the root users of member accounts in AWS Organizations.

Support for FIDO2 passkeys is already used on computers and mobile devices across the globe via a security mechanism built into their device, such as a fingerprint, facial scan, or PIN. For example, Apple Touch ID on iPhone or Windows Hello on PCs can be used as your MFA method to sign into the AWS console on any other device you own.

Passkeys possess the same FIDO2 cryptographically secure properties, and FIDO2 credentials use public key cryptography to provide phishing-resistant authentication. Apple, 1Password, Google, Dashlane, Microsoft, and others use syncable FIDO2 passkeys that enable FIDO keys to be backed up and synced rather than physically stored.

A member company of the FIDO Alliance, AWS, also mentioned preparing to launch additional features later in 2024 to help their customers manage MFA for larger numbers of users at scale.