Enable Multi-Factor Authentication - AWS Single Sign-On

Enable Multi-Factor Authentication

By default, when a user signs in to the user portal, they sign in with their email address and password (the first factor). This is the default authentication mechanism used in AWS SSO. But when multi-factor authentication (MFA) is enabled, users enter an MFA code (the second factor) that is generated by an application on their phone. Users must use this MFA code to be authenticated to the user portal. These factors together provide additional security by preventing access to your AWS organization unless users supply valid user credentials and a valid MFA code.

Considerations Before Using MFA in AWS SSO

Before you enable MFA, consider the following information:

  • All users must have access to a physical device that can have applications installed on it, like a smartphone or tablet. Such a device is required before users can sign in using MFA. Therefore, you will need either to provide a device to each user or send them instructions on how they can register their own personal devices. For more information, see Authenticator Applications on User Devices.

  • Do not use the option Require Them to Provide a One-Time Password Sent by Email if your users must sign in to the user portal to access their email. For example, your users might use Office 365 on the user portal to read their email. In this case, users would not be able to retrieve the verification code and would be unable to sign in to the user portal. For more information, see Require Them to Provide a One-Time Password Sent by Email.

  • If you are already using RADIUS MFA that you configured with AWS Directory Service, then you do not need to enable MFA within AWS SSO. MFA is an alternative to RADIUS MFA for Microsoft Active Directory users of AWS SSO. For more information, see RADIUS MFA.

Note

MFA in AWS SSO is not supported for use by external identity providers.

Authentication Methods

Authentication methods help you determine the level of security that you want to enforce across all your users during sign-in. MFA has the following methods available:

  • Context-aware

  • Always-on

  • Disabled

Note

You can configure AWS SSO to use a connected directory and decide to choose either the Context-aware or Always-on option. In these cases, your users must sign in to the user portal using the down-level logon name format (DOMAIN\UserName). This restriction does not apply when you are using an AWS SSO store. With an AWS SSO store, users can sign in using either their down-level logon name format or their UPN logon name format (UserName@Corp.Example.com). For general information about sign-in formats, see User Name Formats on the Microsoft documentation website.

Context-Aware

Context-aware is the default setting when you first configure AWS SSO. In this mode, AWS SSO analyzes the sign-in context (browser, location, and devices) for each user. AWS SSO then determines whether the user is signing in with a previously trusted context. If a user is signing in from an unknown IP address or is using an unknown device, SSO prompts the user for multi-factor authentication. The user is prompted for an MFA code in addition to their email address and password credentials.

This mode provides additional protection for users who frequently sign in from their offices. This mode is also easier for those users because they do not need to complete MFA on every sign-in. SSO prompts users with MFA once and permits them to trust their device. Once a user indicates that they want to trust a device, AWS SSO considers future sign-ins to be “trusted.” AWS SSO does not challenge the user for an MFA code when they use that trusted device. Users are only required to provide additional verification when their sign-in context changes. Such changes include signing in from a new device, a new browser, or an unknown IP address.

Note

Changing from Disabled mode to Context-aware mode overrides existing RADIUS MFA settings that are configured in AWS Directory Service for sign-in to AWS SSO for this directory. For more information, see RADIUS MFA.

Always-On

In this mode, AWS SSO requires that users who have registered an MFA device provide an MFA code on every sign-in. You should use this mode if you have organizational or compliance policies that require your users to complete MFA every time they sign in to the user portal. For example, PCI DSS strongly recommends MFA during every sign-in to access applications that support high-risk payment transactions.

Disabled

While in this mode, no MFA authentication method is enabled. Users continue to sign in using their user name, password and/or RADIUS MFA as normal.

MFA Device Enforcement

The following options can be used to determine whether your users must have a registered MFA device when signing in to the user portal. These options also determine the method by which your users will receive their MFA code.

Allow Them to Sign In

Allow them to sign in is the default setting when you first configure AWS SSO MFA. Use this option to indicate that MFA devices are not required in order for your users to sign in to the user portal. Users who chose to register MFA devices will still be prompted for MFA codes.

Block Their Sign-In

Use the Block Their Sign-In option when you want to enforce MFA use by every user before they can sign in to AWS.

Important

If your authentication method is set to Context-aware a user might select the This is a trusted device check box on the sign-in page. In that case, that user will not be prompted for an MFA code even if you have the Block their sign in setting enabled. If you want these users to be prompted, change your authentication method to Always On.

Require Them to Provide a One-Time Password Sent by Email

Use this option when you want to have verification codes sent to users by email. Because email is not bound to a specific device, this option does not meet the bar for industry-standard multi-factor authentication. But it does improve security over having a password alone. Email verification will only be requested if a user has not registered an MFA device. If the Context-aware authentication method has been enabled, the user will have the opportunity to mark the device on which they receive the email as trusted. Afterward they will not be required to verify an email code on future logins from that device, browser, and IP address combination.

Note

If you are using Active Directory as your SSO enabled Identity source, the email address used will always be based on the AD ‘email’ attribute. Custom AD attribute mappings will not override this behavior.

RADIUS MFA

Remote Authentication Dial-In User Service (RADIUS) is an industry-standard client-server protocol that provides authentication, authorization, and accounting management so users can connect to network services. AWS Directory Service includes a RADIUS client that connects to the RADIUS server upon which you have implemented your MFA solution. For more information, see Enable Multi-Factor Authentication for AWS Managed Microsoft AD.

You can use either RADIUS MFA or MFA in AWS SSO for user sign-ins to the user portal, but not both. MFA in AWS SSO is an alternative to RADIUS MFA in cases where you want AWS native two-factor authentication for access to the portal.

When you enable MFA in AWS SSO, your users need an MFA code to sign in to the AWS SSO user portal. If you had previously used RADIUS MFA, enabling MFA in AWS SSO effectively overrides RADIUS MFA for users who sign in to the user portal. However, RADIUS MFA continues to challenge users when they sign in to all other applications that work with AWS Directory Service, such as Amazon WorkDocs.

If your MFA is Disabled on the AWS SSO console and you have configured RADIUS MFA with AWS Directory Service, RADIUS MFA governs user portal sign-in. This means that AWS SSO falls back to RADIUS MFA configuration if MFA is disabled.

Authenticator Applications on User Devices

Your users can use their internet accessible devices, such as a smartphone or tablet, as an MFA device. To do this, users must install an AWS supported mobile app that generates a six-digit authentication code.

Because these apps can run on unsecured mobile devices, MFA might not provide the same level of security as U2F devices or hardware MFA devices. You can enable only two MFA devices per user.

For a list of MFA apps that you can use on smartphones or tablets, see Multi-Factor Authentication. Note that AWS requires an MFA app that produces a six-digit one-time password.