Supported configurations for using FIDO security keys - AWS Identity and Access Management

Supported configurations for using FIDO security keys

You can use WebAuthn as a multi-factor authentication (MFA) method with IAM using currently supported configurations. These include FIDO2 devices supported by IAM and browsers that support WebAuthn.

FIDO2 devices supported by AWS

IAM currently supports FIDO2 security devices that connect to your devices through USB, Bluetooth, or NFC. We don't support platform authenticators such as TouchID, FaceID, or Windows Hello.

Note

AWS requires access to the physical USB port on your computer to verify your FIDO2 device. WebAuthn MFA will not work with a virtual machine, a remote connection, or a browser's incognito mode.

The FIDO Alliance maintains a list of all FIDO2 products that are compatible with FIDO specifications.

Browsers that support WebAuthn

The following browsers currently support the use of FIDO2 security keys:

macOS 10.15+ Windows 10 Linux
Chrome Yes Yes Yes
Safari Yes No No
Edge Yes Yes Yes
Firefox Yes Yes Yes
Note

Most Firefox versions that currently support WebAuthn don't enable support by default. For instructions on enabling WebAuthn support in Firefox, see Troubleshooting FIDO security keys.

Browser plugins

AWS supports only browsers that natively support the FIDO2 WebAuthn standard. AWS doesn't support using plugins to add FIDO2 WebAuthn browser support. Some browser plugins are incompatible with the FIDO U2F standard and can cause unexpected results with FIDO2 security keys.

For information on disabling browser plugins and other troubleshooting tips, see I can't enable my FIDO security key.

Mobile environments

The following browsers currently support the use of FIDO2 security keys:

iOS 14.5+ Android 7+
Chrome Yes Yes
Safari Yes No
Edge No No
Firefox Yes No
Note

The AWS Console Mobile App on Android devices doesn't support using FIDO2 security keys for MFA.

Device certifications

We capture and assign device-related certifications, such as FIPS validation and FIDO certification level, only during the registration of a FIDO security key. Your device certification is retrieved from the FIDO Alliance Metadata Service (MDS). If the certification status or level of your FIDO security key changes, it will not be reflected in the device tags automatically. To update the certification information of a device, register the device again to fetch the updated certification information.

AWS provides the following certification types as condition keys during device registration, obtained from the FIDO MDS: FIPS-140-2, FIPS-140-3, and FIDO certification levels. You have the ability to specify the registration of specific authenticators in their IAM policies, based on your preferred certification type and level. For more information, see the policies below.

Example policies for device certifications

The following use cases show sample policies that allow you to register MFA devices with FIPS certifications.

Use case 1: Allow registering only devices that have FIPS-140-2 L2 certifications

{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": "iam:EnableMFADevice", "Resource": "*", "Condition": { "StringEquals": { "iam:RegisterSecurityKey" : "Create" } } }, { "Effect": "Allow", "Action": "iam:EnableMFADevice", "Resource": "*", "Condition": { "StringEquals": { "iam:RegisterSecurityKey" : "Activate", "iam:FIDO-FIPS-140-2-certification": "L2" } } } ] }

Use case 2: Allow registering devices that have FIPS-140-2 L2 and FIDO L1 certifications

{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": "iam:EnableMFADevice", "Resource": "*", "Condition": { "StringEquals": { "iam:RegisterSecurityKey" : "Create" } } }, { "Effect": "Allow", "Action": "iam:EnableMFADevice", "Resource": "*", "Condition": { "StringEquals": { "iam:RegisterSecurityKey" : "Activate", "iam:FIDO-FIPS-140-2-certification": "L2", "iam:FIDO-certification": "L1" } } } ] }

Use case 3: Allow registering devices that have either FIPS-140-2 L2 or FIPS-140-3 L2 certifications

{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": "iam:EnableMFADevice", "Resource": "*", "Condition": { "StringEquals": { "iam:RegisterSecurityKey" : "Create" } } }, { "Effect": "Allow", "Action": "iam:EnableMFADevice", "Resource": "*", "Condition": { "StringEquals": { "iam:RegisterSecurityKey" : "Activate", "iam:FIDO-FIPS-140-2-certification": "L2" } } }, { "Effect": "Allow", "Action": "iam:EnableMFADevice", "Resource": "*", "Condition": { "StringEquals": { "iam:RegisterSecurityKey" : "Activate", "iam:FIDO-FIPS-140-3-certification": "L2" } } } ] }

Use case 4: Allow registering devices that have FIPS-140-2 L2 certification and support other MFA types like virtual authenticators and hardware TOTP

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "iam:EnableMFADevice", "Resource": "*", "Condition": { "StringEquals": { "iam:RegisterSecurityKey": "Create" } } }, { "Effect": "Allow", "Action": "iam:EnableMFADevice", "Resource": "*", "Condition": { "StringEquals": { "iam:RegisterSecurityKey": "Activate", "iam:FIPS-140-2-certification": "L2" } } }, { "Effect": "Allow", "Action": "iam:EnableMFADevice", "Resource": "*", "Condition": { "Null": { "iam:RegisterSecurityKey": "true" } } } ] }

AWS CLI and AWS API

AWS supports using FIDO2 security keys only in the AWS Management Console. Using FIDO2 security keys for MFA is not supported in the AWS CLI and AWS API, or for access to MFA-protected API operations.

Additional resources