Enabling a FIDO security key (console) - AWS Identity and Access Management

Enabling a FIDO security key (console)

FIDO security keys are a type of multi-factor authentication (MFA) device that you can use to protect your AWS resources. You plug your FIDO security key into a USB port on your computer and enable it using the instructions that follow. After you enable it, you tap it when prompted to securely complete the sign-in process. If you already use a FIDO security key with other services, and it has an AWS supported configuration (for example, the YubiKey 5 Series from Yubico), you can also use it with AWS. Otherwise, you need to purchase a FIDO security key if you want to use WebAuthn for MFA in AWS. Additionally, FIDO security keys can support multiple IAM or root users on the same device, enhancing their utility for account security. For specifications and purchase information for both device types, see Multi-Factor Authentication. For specifications and purchase information, see Multi-Factor Authentication.

FIDO2 is an open authentication standard and an extension of FIDO U2F, offering the same high level of security based on public key cryptography. FIDO2 consists of the W3C Web Authentication specification (WebAuthn API) and the FIDO Alliance Client-to-Authenticator Protocol (CTAP), an application layer protocol. CTAP enables communication between client or platform, like a browser or operating system, with an external authenticator. When you enable a FIDO Certified authenticator in AWS, the FIDO security key creates a new key pair for use with only AWS. First, you enter your credentials. When prompted, you tap the FIDO security key, which responds to the authentication challenge issued by AWS. To learn more about the FIDO2 standard, see the FIDO2 Project.

You can register up to eight MFA devices of any combination of the currently supported MFA types with your AWS account root user and IAM users. With multiple MFA devices, you only need one MFA device to sign in to the AWS Management Console or create a session through the AWS CLI as that user. We recommend that you register multiple MFA devices. For example, you can register a built-in authenticator and also register a security key that you keep in a physically secure location. If you’re unable to use your built-in authenticator, then you can use your registered security key. For authenticator applications, we also recommend enabling the cloud backup or sync feature in those apps to help you avoid losing access to your account if you lose or break your device with the authenticator apps.

Note

We recommend that you require your human users to use temporary credentials when accessing AWS. Your users can federate into AWS with an identity provider where they authenticate with their corporate credentials and MFA configurations. To manage access to AWS and business applications, we recommend that you use IAM Identity Center. For more information, see the The IAM Identity Center User Guide.

Permissions required

To manage a FIDO security key for your own IAM user while protecting sensitive MFA-related actions, you must have the permissions from the following policy:

Note

The ARN values are static values and are not an indicator of what protocol was used to register the authenticator. We have deprecated U2F, so all new implementations use WebAuthn.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowManageOwnUserMFA", "Effect": "Allow", "Action": [ "iam:DeactivateMFADevice", "iam:EnableMFADevice", "iam:GetUser", "iam:ListMFADevices", "iam:ResyncMFADevice" ], "Resource": "arn:aws:iam::*:user/${aws:username}" }, { "Sid": "DenyAllExceptListedIfNoMFA", "Effect": "Deny", "NotAction": [ "iam:EnableMFADevice", "iam:GetUser", "iam:ListMFADevices", "iam:ResyncMFADevice" ], "Resource": "*", "Condition": { "BoolIfExists": { "aws:MultiFactorAuthPresent": "false" } } } ] }

Enable a FIDO security key for your own IAM user (console)

You can enable a FIDO security key for your own IAM user from the AWS Management Console only, not from the AWS CLI or AWS API.

Note

Before you can enable a FIDO security key, you must have physical access to the device.

Note

You should not choose any of the available options on the Google Chrome pop-up that asks to Verify your identity with amazon.com. You only need to tap on the security key.

To enable a FIDO security key for your own IAM user (console)
  1. Use your AWS account ID or account alias, your IAM user name, and your password to sign in to the IAM console.

    Note

    For your convenience, the AWS sign-in page uses a browser cookie to remember your IAM user name and account information. If you previously signed in as a different user, choose Sign in to a different account near the bottom of the page to return to the main sign-in page. From there, you can type your AWS account ID or account alias to be redirected to the IAM user sign-in page for your account.

    To get your AWS account ID, contact your administrator.

  2. In the navigation bar on the upper right, choose your user name, and then choose Security credentials.

    AWS Management Console Security credentials link
  3. On the AWS IAM credentials tab, in the Multi-factor authentication (MFA) section, choose Assign MFA device.

  4. In the wizard, type a Device name, choose Security Key, and then choose Next.

  5. Insert the FIDO security key into your computer's USB port.

    FIDO security key inserted into a USB port
  6. Tap the FIDO security key.

The FIDO security key is ready for use with AWS. For information about using MFA with the AWS Management Console, see Using MFA devices with your IAM sign-in page.

Enable a FIDO security key for another IAM user (console)

You can enable a FIDO security key for another IAM user from the AWS Management Console only, not from the AWS CLI or AWS API.

To enable a FIDO security key for another IAM user (console)
  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, choose Users.

  3. Choose the name of the user for whom you want to enable MFA.

  4. Choose the Security Credentials tab. Under Multi-factor authentication (MFA), choose Assign MFA device.

  5. In the wizard, type a Device name, choose Security Key, and then choose Next.

  6. Insert the FIDO security key into your computer's USB port.

    FIDO security key inserted into a USB port
  7. Tap the FIDO security key.

The FIDO security key is ready for use with AWS. For information about using MFA with the AWS Management Console, see Using MFA devices with your IAM sign-in page.

Replace a FIDO security key

You can have up to eight MFA devices of any combination of the currently supported MFA types assigned to a use at a time with your AWS account root user and IAM users. If the user loses a FIDO authenticator or needs to replace it for any reason, you must first deactivate the old FIDO authenticator. Then you can add a new MFA device for the user.

If you don't have access to a new FIDO security key, you can enable a new virtual MFA device or hardware TOTP token. See one of the following for instructions: