from Hacker News

Ask HN: AWS registering MFA will be required in 29 days

by herodoturtle on 10/11/24, 6:20 AM with 15 comments

Hi folks,

When signing into our AWS console this morning we noticed this security popup - "Registering MFA will be required in 29 days".

Below the notice is a list of options for registering for MFA, and I quote:

> 1. Passkey or Security key: Authenticate using your fingerprint, face, or screen lock. Create a passkey on this device or use another device, like a FIDO2 security key.

> 2. Authenticator app: Authenticate using a code generated by an app installed on your mobile device or computer.

> 3. Hardware TOTP Token: Authenticate using a code generated by hardware TOTP token or other hardware devices.

Perhaps this is a dumb question, but why can't we just use email for 2FA? (or maybe there is a way and we've just missed it?)

If email 2FA is not an option, which of the above 3 options would you recommend to minimise hassle?

(Option 1 looks simple but sounds like it's limited to individual devices? Option 2 - the idea of installing an app - irks us. With option 3 would we each need a hardware token?)

Any guidance would be appreciated. Thanks.

  • by YouWhy on 10/11/24, 6:12 PM

    First of all, 2FA is a jolly good idea in terms of preventing account hijackings; relying on email/SMS (texts) introduces multiple hazards that can reverse 2FA's net benefit.

    One configuration some people use is the KeePass desktop password manager, which supports storing TOTP seeds and has a nice UX for generating tokens; the password database file may be located as you see fit on a hard drive, DOK, cloud drive etc. Example of TOTP config for KeePass:

    https://www.fhtino.it/docs/keepass-totp--intro/

    Also, Keepass2Android can be used in similar vein from Android devices. iOS equivalents seem to exist as well.

  • by mooreds on 10/11/24, 1:23 PM

    I'd go with number 2 unless you want to buy everyone a hardware token (option number 3).

    There are open source solutions (I've used https://2fas.com/ ) and very common solutions (Google Authenticator).

    You can even print out the QR code and put it in a secure location (safe, safe deposit box) as a break-glass in case everyone's phones cease functioning.

  • by xet7 on 10/12/24, 3:34 AM

    At Linux, I manage local 2FA with Numberstation GUI. It can import export.

    sudo apt install numberstation

    I manage passwords with KeepassXC

    sudo apt install keepassxc

    There is also newer version with additional features:

    https://github.com/keepassxreboot/keepassxc

  • by stephenr on 10/11/24, 6:20 PM

    Thanks for posting this. I'm going to link back to this whenever anyone claims that using AWS/etc means you don't need any experienced infrastructure/ops people.

    As for the actual question: what browser/password manager in 2024 doesn't support both options 1 and 2?

  • by dotps1 on 10/11/24, 3:35 PM

    Personally I would do all of them.

    I would make a passkey and stick it in Bitwarden so I have it with me on all my devices.

    I would link my account to my authenticator app.

    Then I would also register my yubikey I keep on my keychain.