Amazon just announced that the AWS MFA (multi-factor authentication) now supports virtual or software MFA devices in addition to the physical hardware MFA devices like the one that’s been taking up unwanted space in my pocket for two years.
Multi-factor authentication means that in order to log in to my AWS account using the AWS console or portal (including the AWS forums) you not only need my secret password, you also need access to a device that I carry around with me.
Before, this was a physical device attached to my key ring. Now, this is my smart phone which has the virtual (software) MFA device on it. I already carry my phone with me, so the software doesn’t take up any additional space.
To log in to AWS, I enter my password and then the current 6 digit access code displayed by the Android app on my phone. These digits change every 30 seconds in an unguessable pattern, so this enhances the security of my AWS account.
I started by using Amazon’s AWS Virtual MFA app for my Android phone, but had some complaints about it including:
You have to click on an account name to see the current digits instead of just having them shown when the app is run. There’s nothing else for the app to do but show me these digits. Just do it!
The digits disappear from the screen too fast. Sometimes I want to glance back and see if I typed them in correctly, but they’re gone and I have to click again, hoping that they haven’t changed yet.
It’s hard to choose your own account names so that you know which entry to use for different AWS accounts.
I then noticed some cryptic information in the announcements: the new feature will work with “any application that supports the open OATH TOTP standard”.
Hmmm…
Sure ‘nuff!
I already use the Google Authenticator app on my Android phone so that my Google logins can use MFA. As it turns out, Google Authenticator also works seamlessly with AWS Virtual MFA.
Google Authenticator shows the codes as soon as it is run with a little timer showing me when they will change.
Google Authenticator lets me easily edit the displayed name so that I know at a glance which code is for my personal AWS account and which one is for my company AWS account.
This also means that I only have to run one app to get access to my devices for Google accounts and for AWS accounts. Amazon may improve their Android app over time, but by using open standards users can pick whatever works best for them at the time.
I love the fact that Amazon now supports Virtual MFA. I’ve already thrown away my hardware token and my pocket feels less full.
I love the fact that Amazon implemented this as a service based on existing standards so that I can use Google’s Android app to access my account.
I love open standards.
Update: I just found this great starting page which even links to Google Authenticator as a client for Android and iPhone:
Follow Eric Hammond on Twitter
I just recently enabled this for my Amazon Console login as well. I already use the Google Authenticator app on my phone for a couple of my email (Google Apps) accounts, so it was a snap to add AWS to it as well.
I wish, however, that Amazon had a "remember this computer for 30 days" checkbox the way Google's MFA logins do. Typing in a code every day, just to look at my CloudWatch graphs, is a little much.
I suppose I could use IAM to create a read-only login, and then use that for casual non-MFA console logins.
finnhart:
I love the idea of a read-only EC2 console login.