AWS Identity and Access Management (IAM) best practice is to require all IAM and root users in your account to sign into the AWS Management Console with multi-factor authentication (MFA). When MFA is enabled, AWS prompts users for their username and password (the first factor – what they know) and also provides an authentication challenge such as one-time passcode (OTP) to their MFA device (the second factor – what they have). Now you can enable a YubiKey security key (manufactured by Yubico, a third party provider) as your users’ MFA device.
YubiKey security keys use Universal 2nd Factor (U2F), an open authentication standard that enables users to easily and securely access multiple online services using a single security key, without needing to install drivers or client software. AWS allows you to enable a YubiKey security key as the MFA device for your IAM users. You can also enable a single key for multiple IAM and root users across AWS accounts, making it easier to manage your MFA device for access to multiple users. Now, you can use your existing key to authenticate to other third-party applications, such as GitHub or Dropbox, to sign in to the AWS Management Console.
In this post, I demonstrate how to enable a YubiKey for your IAM users in the IAM console. I then demonstrate how to sign into the AWS Management Console as an IAM user using the YubiKey security key as your MFA device.
Note: You can enable a YubiKey security key as MFA device for your root users from the Security Credentials page by following a similar setup process. Also, the AWS Console Mobile App and mobile browsers do not currently support YubiKey security as MFA for AWS. For more information, please review Supported Configurations for Using U2F Security Keys.
Enabling a YubiKey security key as MFA device for IAM users
To follow along, you must have a YubiKey security key that you want to associate with your IAM user. You can order a YubiKey security key using Amazon.com or other retailers.
Follow these steps to enable a YubiKey security key for your IAM user:
- Sign in to the IAM console.
- In the left navigation pane, select Users and then choose the name of the user for whom you want to enable a YubiKey.
- Select the Security Credentials tab, and then select the Manage link next to Assigned MFA device.
- In the Manage MFA Device wizard, select U2F security key and then select Continue.
- Insert the YubiKey security key into the USB port of your computer, wait for the key to blink, and then touch the button or gold disk on your key. If your key doesn’t blink, please select Troubleshoot U2F to review instructions to troubleshoot the issue.
- You’ll receive a notification that the security key assignment was successful. The YubiKey security key is ready for use. Select Close.
The Security Credentials tab will now display the U2F security key next to Assigned MFA device.
Now that you’ve successfully enabled a YubiKey security key as the MFA device for your IAM user (in this example, DBAdmin), I’ll demonstrate how your IAM user can use their YubiKey security key in addition to their username and password to sign into the AWS Management Console.
Using your YubiKey security key to sign into the AWS Management Console as an IAM user
As an IAM user with MFA enabled, you must use your MFA device to sign into the AWS Management Console. During sign-in, you first need to enter your username and password. Next, you need to complete the authentication challenge using your MFA device. Once you have successfully completed the MFA challenge, you can access the AWS Management Console.
Follow these steps to sign into the AWS Management Console using your YubiKey security key as the MFA device:
- Enter your AWS account ID or alias to sign in as an IAM user and select Next.
- From the IAM sign-in page, re-enter your AWS account ID or alias, plus the username and password for your IAM user. Then select Sign in.
- To authenticate with your YubiKey security key, insert your key into the USB port on your computer, wait for the key to blink, and then touch the button or gold disk on your YubiKey security key. If your key doesn’t blink, please select Troubleshoot MFA to review instructions to troubleshoot the issue.
Your IAM user has successfully completed the MFA challenge and signed into the AWS Management console.
In this blog post, I shared the benefits of using YubiKey security keys as your MFA device. I demonstrated how you can enable a YubiKey security key for your IAM users through the IAM console. I also showed you how to sign into the AWS Management Console using the YubiKey security key associated with your IAM user. You can also enable a U2F security key as an MFA device for root users by following a similar process.
If you have comments about enabling YubiKey or other MFA devices for your users, submit them in the Comments section below. If you have issues enabling YubiKey for your users, start a thread on the IAM forum or contact AWS Support.
Want more AWS Security news? Follow us on Twitter.