I recently purchased an alternative, developed and built by Swiss company TOKEN2. I have been using a YubiKey for years now and would recommend it for protecting your personal AWS login, except for if you have policies which demand MFA approval (e.g. AWS supports them, but other providers might not they are currently not as common as TOTP.FIDO2 keys do not work properly with the AWS CLI yet.This is basically a form of PKI, working with official certificates under the hood, making it the most secure way to protect your AWS accounts, but it comes with some limitations: One of the most known vendors is Yubico, but as this is an open standard there are other vendors as well ( NitroKey, you might want to secure not only the Root loginsĪpart from the six-digit codes you are probably used to, AWS also offers using devices implementing the cryptographic FIDO2 scheme for logging in.Gemalto tokens are famous for being out of time sync when you need them.it costs a lot of money for multiple accounts.you might have 100 accounts and do not want to store 100 tokens somewhere.If someone needs access, you can get that token (ideally, sign for it and have a four-eyes process in place) and use it. For each of your AWS accounts, you can order one of these tokens and store them securely. AWS supplied tokensĪs a way around this, AWS has been offering Gemalto tokens for a long time. While having your machine or password safe compromised is scary enough, this way of keeping your MFA data safe can (and, in my opinion, should) violate internal compliance guidelines. This way, you can easily log into your accounts and mitigate brute force attacks sufficiently.īut on the other hand, that means that everybody who gains access to your password manager or your computer can get around your security precautions. Tools like 1Password, LastPass, or others offer to store your TOTP codes right with the primary login data. Most of the account providers use a standardized algorithm ( RFC 6238) to generate the famous six-digit TOTP codes for your login.īut where do you store those securely? Today, we will look at the alternatives and a specific device: The Molto-2. Everybody knows you should protect your AWS accounts (and other logins) with MFA against brute-force attacks.
0 Comments
Leave a Reply. |