Enabling a FIDO security key (console)
FIDO security keys are a type of MFA device that
you can use to protect your AWS resources. You plug your FIDO security key into a USB port on
your computer and enable it using the instructions that follow. After you enable it, you tap it
when prompted to securely complete the sign-in process. If you already use a FIDO security key
with other services, and it has an AWS supported configuration
(for example, the Yubikey 5 Series from Yubico), you can also use it with AWS. Otherwise, you
need to purchase a FIDO2security key if you want to use Webauthn for MFA in AWS. For
specifications and purchase information, see Multi-Factor Authentication
FIDO2 is an open authentication standard and an extension of FIDO U2F, offering the same
high level of security based on public key cryptography. FIDO2 consists of the W3C Web
Authentication specification (WebAuthn API) and the Client to Authentication Protocol (CTAP), an
application layer protocol. CTAP enables communication between client or platform, like a
browser or operating system, with an external authenticator. You can continue to use
FIDO-compliant devices, such as FIDO U2F security keys. When you enable a FIDO-compliant
authenticator in AWS, the FIDO security key creates a new key pair for use with only AWS.
First, you enter your credentials. When prompted, you tap the FIDO security key, which responds
to the authentication challenge issued by AWS. To learn more about the FIDO2 standard, see the
FIDO2 Project
You can enable one MFA device (of any kind) per root user or IAM user.
Topics
Permissions required
To manage a FIDO security key for your own IAM user while protecting sensitive MFA-related actions, you must have the permissions from the following policy:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowManageOwnUserMFA", "Effect": "Allow", "Action": [ "iam:DeactivateMFADevice", "iam:EnableMFADevice", "iam:GetUser", "iam:ListMFADevices", "iam:ResyncMFADevice" ], "Resource": "arn:aws:iam::*:user/${aws:username}" }, { "Sid": "DenyAllExceptListedIfNoMFA", "Effect": "Deny", "NotAction": [ "iam:EnableMFADevice", "iam:GetUser", "iam:ListMFADevices", "iam:ResyncMFADevice" ], "Resource": "arn:aws:iam::*:user/${aws:username}", "Condition": { "BoolIfExists": { "aws:MultiFactorAuthPresent": "false" } } } ] }
Enable a FIDO security key for your own IAM user (console)
You can enable a FIDO security key for your own IAM user from the AWS Management Console only, not from the AWS CLI or AWS API.
Before you can enable a FIDO security key, you must have physical access to the device.
You should not choose any of the available options on the Google Chrome pop-up that asks to Verify your identity with amazon.com. You only need to tap on the security key.
To enable a FIDO security key for your own IAM user (console)
-
Use your AWS account ID or account alias, your IAM user name, and your password to sign in to the IAM console
. Note For your convenience, the AWS sign-in page uses a browser cookie to remember your IAM user name and account information. If you previously signed in as a different user, choose Sign in to a different account near the bottom of the page to return to the main sign-in page. From there, you can type your AWS account ID or account alias to be redirected to the IAM user sign-in page for your account.
To get your AWS account ID, contact your administrator.
-
In the navigation bar on the upper right, choose your user name, and then choose My Security Credentials.
-
On the AWS IAM credentials tab, in the Multi-factor authentication section, choose Manage MFA device.
-
In the Manage MFA device wizard, choose FIDO security key, and then choose Continue.
-
Insert the FIDO security key into your computer's USB port.
-
Tap the FIDO2 security key, and then choose Close when setup is complete.
The FIDO2 security key is ready for use with AWS. For information about using MFA with the AWS Management Console, see Using MFA devices with your IAM sign-in page.
Enable a FIDO security key for another IAM user (console)
You can enable a FIDO security key for another IAM user from the AWS Management Console only, not from the AWS CLI or AWS API.
To enable a FIDO security key for another IAM user (console)
Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/
. -
In the navigation pane, choose Users.
-
Choose the name of the user for whom you want to enable MFA, and then choose the Security credentials tab.
-
Next to Assigned MFA device, choose Manage.
-
In the Manage MFA device wizard, choose FIDO security key, and then choose Continue.
-
Insert the FIDO security key into your computer's USB port.
-
Tap the FIDO security key, and then choose Close when setup is complete.
The FIDO security key is ready for use with AWS. For information about using MFA with the AWS Management Console, see Using MFA devices with your IAM sign-in page.
Enable a FIDO security key for the AWS account root user (console)
You can configure and enable a virtual MFA device for your root user from the AWS Management Console only, not from the AWS CLI or AWS API.
If your FIDO security key is lost, stolen, or not working, you can still sign in using
alternative factors of authentication. To learn about signing in using alternative factors of
authentication, see What if an MFA device is lost or stops
working?. To disable this feature, contact AWS Support
To enable the FIDO key for your root user (console)
-
Sign in to the IAM console
as the account owner by choosing Root user and entering your AWS account email address. On the next page, enter your password. Note If you see three text boxes, then you previously signed in to the console with IAM user credentials. Your browser might remember this preference and open this account-specific sign-in page every time that you try to sign in. You cannot use the IAM user sign-in page to sign in as the account owner. If you see the IAM user sign-in page, choose Sign in using root user email near the bottom of the page. This returns you to the main sign-in page. From there, you can sign in as the root user using your AWS account email address and password.
-
On the right side of the navigation bar, choose on your account name, and then choose My Security Credentials. If necessary, choose Continue to Security Credentials.
-
Expand the Multi-factor authentication (MFA) section.
-
Choose Manage MFA or Activate MFA, depending on which option you chose in the preceding step.
-
In the wizard, choose FIDO security key and then choose Continue.
-
Insert the FIDO security key into your computer's USB port.
-
Tap the FIDO security key, and then choose Close when setup is complete.
The FIDO security key is ready for use with AWS. The next time you use your root user credentials to sign in, you must tap your FIDO security key to complete the sign-in process.
Replace a FIDO security key
You can have only one MFA device (virtual, FIDO security key, or hardware) assigned to a user at a time. If the user loses a FIDO-compliant authenticator or needs to replace it for any reason, you must first deactivate the old FIDO-compliant authenticator. Then you can add a new MFA device for the user.
-
To deactivate the device currently associated with a user, see Deactivating MFA devices.
-
To add a new FIDO security key for an IAM user, see Enabling a FIDO security key (console).
If you don't have access to a new FIDO security key, you can enable a new virtual MFA device or hardware MFA device. See one of the following for instructions: