News: 1718623110

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

AWS is pushing ahead with MFA for privileged accounts. What that means for you ...

(2024/06/17)


Heads up: Amazon Web Services is pushing ahead with making multi-factor authentication (MFA) mandatory for certain users, and we love to see it.

The cloud giant in October [1]said it would start requiring MFA for its customers' most privileged users in 2024.

Indeed, we understand that since May this year, AWS has been gradually requiring MFA for management account root users in AWS Organizations, and this change is still rolling out.

[2]

And as stated during its annual re:Inforce security [3]conference this month, AWS will [4]from July begin requiring MFA for standalone account root users – those outside of AWS Organizations – when signing in to the AWS Management Console. Again, this will be a gradual roll-out, and other root user types are due to start facing this security requirement later this year.

[5]

[6]

Once MFA is required for their account, customers will have a 30-day grace period to turn on multi-factor auth, Arynn Crow, AWS senior manager for user authentication product, told The Register , adding that the IT giant considers "MFA such an incredibly important part of our customer security strategy."

Especially in the post-COVID years, "we've observed an increase in credential-based attacks, particularly credential stuffing, credential spraying, and brute-force type of attacks," Crow said. "MFA is the single, simple, most effective tool that people have that they can deploy against these types of attacks."

[7]

If MFA is required, and not enabled within the grace period, the customer must register their MFA during their next sign-in or will not be able to proceed further.

For anyone who thinks MFA is an avoidable faff: May we suggest the recent Snowflake customer security breaches as proof. These include [8]Pure Storage , [9]Ticketmaster , and [10]Santander bank – and more than 160 other companies that are wishing they had turned on MFA right about now.

According to Mandiant, the [11]165-plus orgs whose Snowflake databases were stolen – and then they were extorted by an unknown financially motivated crime crew – had one thing in common: they hadn't [12]enabled MFA .

[13]

"Of course, it's not the only tool that should be in your toolkit from a security perspective," Crow told The Register in an interview at re:Inforce. "But by and large, the most commonly increasing ones that we see are ones that MFA can actually mitigate and help enhance the security posture of your account."

The support for FIDO2 passkeys as an MFA method, also announced at the conference, should make it simple for AWS customers, she added.

[14]Microsoft, Google do a victory lap around passkeys

[15]Snowflake customers not using MFA are not unique – over 165 of them have been compromised

[16]68 tech names sign CISA's secure-by-design pledge

[17]Orgs are having a major identity crisis while crims reap the rewards

Passkeys are based on a [18]FIDO Alliance standard that's supported by Big Tech – including AWS, Apple, Microsoft, and Google – and they essentially replace passwords by using biometrics such as face or fingerprints, or device PINs, to verify users' identity.

By adding passkey support, AWS customers can now use Apple Touch ID on their iPhones, or Windows Hello on their laptops, as an authenticator – and then use that same passkey as an MFA method to sign in to their AWS console across multiple devices.

"I'm really excited about this particular milestone, because this is a usable, accessible form of security where we don't really have to trade off against that user experience anymore to have good security hygiene," Crow said.

The move to passkeys follows similar efforts by [19]Microsoft and Google over the past couple of months. It also builds on [20]promises made at last month's RSA Conference by the three cloud giants, along with some of the other biggest names in tech, to make their products more secure within a year. ®

Get our [21]Tech Resources



[1] https://aws.amazon.com/blogs/security/security-by-design-aws-to-enhance-mfa-requirements-in-2024/

[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2ZnBdqoy6-U8o14XHm6y-wAAAARA&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0

[3] https://reinforce.awsevents.com/

[4] https://aws.amazon.com/blogs/security/passkeys-enhance-security-and-usability-as-aws-expands-mfa-requirements/

[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZnBdqoy6-U8o14XHm6y-wAAAARA&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ZnBdqoy6-U8o14XHm6y-wAAAARA&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZnBdqoy6-U8o14XHm6y-wAAAARA&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[8] https://www.theregister.com/2024/06/11/pure_storage_snowflake_breach/

[9] https://www.theregister.com/2024/05/29/breachforums_ticketmaster_data/

[10] https://www.theregister.com/2024/06/04/snowflake_report_pulled/

[11] https://www.theregister.com/2024/06/11/crims_targeting_snowflake_customers/

[12] https://www.theregister.com/2024/06/10/security_in_brief/

[13] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ZnBdqoy6-U8o14XHm6y-wAAAARA&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[14] https://www.theregister.com/2024/05/02/microsoft_google_passkeys/

[15] https://www.theregister.com/2024/06/11/crims_targeting_snowflake_customers/

[16] https://www.theregister.com/2024/05/09/68_tech_firms_sign_cisas/

[17] https://www.theregister.com/2024/02/21/identity_related_cyber_threats/

[18] https://www.theregister.com/2022/03/21/fido_password_killer/

[19] https://www.theregister.com/2024/05/02/microsoft_google_passkeys/

[20] https://www.theregister.com/2024/05/09/68_tech_firms_sign_cisas/

[21] https://whitepapers.theregister.com/



So far so good, but...

Will Godfrey

if your passkey uses your phone and it gets stolen, is there a fairly quick way to cancel it's authorisation? If so, how do you then gain access to re-authorise another one.

Re: So far so good, but...

Stu J

You make sure you've got at least 2 passkeys registered so if you lose one you can still log in and disable the second. If you've only got one phone, then a yubikey or similar can be the second passkey device.

Re: So far so good, but...

Anonymous Coward

I have a work phone with Microsoft Office on it. Whenever I need to sign in on the phone, it prompts me for the MFA by displaying the message on the device and sending the code to the same device. I don't want work things on my private phone so how should I get around this?

Re: So far so good, but...

Roland6

I also recommend setting the access to privilege accounts up in a way that supports transfer. Ie. Make it easier for you to handover to someone else and leave the building , or in these post-Covid enlightened times, permit someone else to pick up your accesses due to your unplanned permanent absence.

Just taken over the IT of a client where (once again) they used a personal email account for such accesses and also did not use a password manager, so having to go through a spreadsheet (better than photocopies of handwritten notebooks) and changing everything…

Re: So far so good, but...

Steve Button

Don't do this.

If you make it easy to transfer to someone else, you make it easier to transfer to bad actors* and then they have the keys to your whole kingdom.

Put the passkeys in an envelope in a safe, and put in protocols around who has the keys / combination. And keep it in a secure building. And ideally you'll almost never need to use it, only in an absolute emergency.

* And I'm not talking about Nicholas Cage.

So far so bad

Mike 137

" By adding passkey support, AWS customers can now use Apple Touch ID on their iPhones, or Windows Hello on their laptops, as an authenticator – and then use that same passkey as an MFA method to sign in to their AWS console across multiple devices . "

A fundamental for credential security is that no factor is used across multiple devices (or ideally, as in the case of one time codes, even across multiple transactions), for the simple reason that the more places it's used the more likely it is to be compromised. Once again, it seems convenience takes precedence over common sense.

Re: So far so bad

mmccul

To be technical, more of concern is that under NIST SP800-63b 5.1.6.1: "Single-factor cryptographic software authenticators SHOULD discourage and SHALL NOT facilitate the cloning of the secret key onto multiple devices." Apple and Google not only do not discourage, they facilitate cloning the secret key (which is all a passkey is) onto multiple devices. It is unclear how Microsoft behaves. I've seen conflicting information there.

MFA works well

Anonymous Coward

...unless there's a help desk that responds to aggressive, shouty management demanding that their credentials get reset LIKE NOW.

And unfortunately, in my experience it's the top echelons of management who think that everybody else should abide by strict and unforgiving processes, but as soon as it's them, then different rules apply.

"why not try a passkey?"...

Marty McFly

Avoiding vendor lock-in.

Going the speed of light is bad for your age.