from Hacker News

Secure by Design: AWS to enhance MFA requirements in 2024

by donutshop on 10/4/23, 5:32 AM with 1 comments

  • by ggm on 10/4/23, 6:16 AM

    I looked at 'up to 8 devices/methods' in the AWS MFA page and wondered: is 8 2 or 4 or even 6 over the edge for how many discrete points of failure I have just introduced into my security regime?

    It's a tension. One: I can lose that second factor and I'm screwed (ok backup codes people). Two: That feels good because it's where I am. Three: Can I even count up to three? What does failing to enter it correctly on 3 things mean? would i lock myself out? Is three meaning I leave one at home and have one with me so I can lose it?

    I just think 8 is like "well we wanted 7, but we decided to go to "eleven" on this one" -unless its "there are 8 bits in an unsigned byte" and its a bitmap which one you use in their in-house API back end.