Multiple MFA devices

18

As a user of a hardware U2F security key, I always follow best practice and register a backup key in case the primary is damaged or lost. In the old AWS support forums, your customers have been asking for this since 2013. Nine years later and this still appears to be impossible. When will this critical feature be added?

  • +1 Having the ability to setup multiple MFA devices is critical

  • +100 it is absolutely ridiculous that AWS does not support multiple MFA methods on both root and non-root user accounts. Users should be able to configure at least two security keys and TOTP devices.

10 Answers
4

+1 Having the ability to setup multiple MFA devices is critical

answered 2 years ago
4

+1

Assigning at least 2 U2F keys should not only be supported, it should be required.

answered 2 years ago
3

This has been a customer request as you say for quite some time. If you have not yet submitted a support ticket requesting that you be added as a "+1" (which is AWS' way of indicating a request is supported and based on customer's demand helps prioritize work) to this feature request.

As an interim solution, if your MFA token were to be damaged it is possible to work with AWS Support to gain access to the account to sync a new token. This does require that you have certain information which would have been added to the account when it was setup. Here is the AWS documentation regarding how to accommodate a lost or broken MFA device: https://aws.amazon.com/premiumsupport/knowledge-center/lost-broken-mfa/

AWS
answered 2 years ago
  • By now, this is a request for internal reorganization. If AWS has been aware of this consistent feature request for 8 years, no manager or product owner has prioritized, and every other cloud provider has had it for years, there's a problem with AWS' internal incentive structure.

    Do we have to submit a support ticket to be added as a +1? Isn't that what an upvote is for?

  • The fact that they offer U2F at all is largely a win. After recently getting my MULTIPLE keys, I've found most places don't allow them. Though, AWS is the first service that didn't allow my to register my backup keys.

    Please allow me to add a second key.

3

+1

I would also really appreciate an explanation that convinces me the process to accommodate a lost or broken MFA device is not a recipe for a social engineering attack. thanks! Bill

Billl
answered 2 years ago
1

It should now be possible to add multiple MFA devices, although I still can't do it with some of my accounts. It is now possible to add up to 8 MFA devices.

From the blog post, to register an MFA device:

  • Sign in to the AWS Management Console and do the following:
    • For a root user, choose My Security Credentials.
    • For an IAM user, choose Security credentials.
  • For Multi-factor authentication (MFA), choose Assign MFA device.
  • Select the type of MFA device that you want to use and then choose Next.

I raised a support request and got the following response. I have unique passwords for all accounts so they must be creating the Amazon.com account. I've seen some accounts show Amazon.com when changing credentials, so its probably something to do with that. The user account I raised this on was created in 2019, but the organisation was created years ago.

"We are gradually rolling out the new multiple MFA feature to AWS accounts. At this time, the feature has not been activated for your account because we are unable to separate your AWS and Amazon.com accounts. AWS customers who created accounts before September 2017 use the same credentials to sign in to AWS and Amazon.com. While we can’t provide you with a specific timeframe when your account can be separated, we continuously evaluate eligibility for this separation process. We might automatically complete the separation for you in the future. At that time, you will be able to use the new multiple MFA feature."


I received an email from Amazon containing the following, so they seem to be working toward resolving this:

Greetings from Amazon Web Services,

In the past, you have used the same email address and password to sign in to Amazon.com and AWS. In response to customer feedback, AWS is updating your account to make your access to Amazon.com and AWS independent. You can continue using this email address and your current password to sign in to Amazon.com. However, the next time that you sign in to AWS, you will be prompted to create a new password and will have the option to register a new multi-factor authentication (MFA) device. MFA is a best practice that adds an extra layer of protection on top of your email and password.

AWS will never email you and ask you to disclose your password. You will see the prompts to create a new password and register a new MFA device only when you visit the AWS Console at https://console.aws.amazon.com which will direct you to our secure sign-in experience hosted on the signin.aws subdomain.

This update to your AWS account also gives you the option to secure your AWS sign-in with additional MFA device types such as hardware security keys [1]. In addition, this update can help you monitor root user activity with AWS CloudTrail at no additional cost [2].

[1] To learn more about the types of MFA supported on AWS, visit our AWS IAM MFA User Guide: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html

[2] To learn more about about monitoring sign-in events to the Console, visit our AWS CloudTrail User Guide: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-aws-console-sign-in-events.html

Fydon
answered 2 years ago
  • That only works for me for the first device, and then afterwards I don't see Assign MFA device to add a second device.

  • in typical AWS fashion, it doesn't appear to be rolled out to all accounts. i can add multiple hardware keys on none of the root accounts i am responsible for; only on one IAM user.

  • I also don't see this on either of my accounts yet.

1

My current workaround is to create several users, but this is a pain. Not to mention that they do not support Safari.

answered 2 years ago
  • This isn't really a workaround. While you can certainly create multiple IAM users and grant them administrative permissions in the account, it is not a replacement for the root user.

0
profile pictureAWS
answered 2 years ago
  • This is not working for many of us, as this thread reports. I have full access to AWS from the console (admin access) and I am not able to add an additional MFA device to my account.

  • I have AdministratorAccess permission. It also doesn't work for one of my aws account.

  • On Stackoverflow posting answer that contains content already covered by another answer is discouraged. How does it work here? I also linked to the same blog post but provide more detail in the answer I posted last week.

  • A small number of AWS accounts require additional configuration changes on our end before customers can take advantage of the new feature. We are currently working on making the required configuration changes and we will notify you when your account configuration is updated. For additional support, please submit a support request or reach out to your designated technical account manager.

0

Is there any official response from Amazon about this?

I need this as well. I have multiple machines, simply can't share one key between them.

answered 2 years ago
  • They just announced the feature recently.

  • A small number of AWS accounts require additional configuration changes on our end before customers can take advantage of the new feature. We are currently working on making the required configuration changes and we will notify you when your account configuration is updated. For additional support, please submit a support request or reach out to your designated technical account manager.

0

You can now assign multiple MFA devices in IAM but not work on my account.

Enter image description here

I can't add another MFA device. All I can see is Remove or Resync. Why?

Linda
answered a year ago
  • A small number of AWS accounts require additional configuration changes on our end before customers can take advantage of the new feature. We are currently working on making the required configuration changes and we will notify you when your account configuration is updated. For additional support, please submit a support request or reach out to your designated technical account manager.

0

My client is a very small business and its accounts have no access to support, is there an estimated ETA of when the rest of the 'old' accounts will have the ability to add a second MFA device?

He would not like to pay a support plan for this reason alone.

answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions