When signing into our AWS console this morning we noticed this security popup - "Registering MFA will be required in 29 days".
Below the notice is a list of options for registering for MFA, and I quote:
> 1. Passkey or Security key: Authenticate using your fingerprint, face, or screen lock. Create a passkey on this device or use another device, like a FIDO2 security key.
> 2. Authenticator app: Authenticate using a code generated by an app installed on your mobile device or computer.
> 3. Hardware TOTP Token: Authenticate using a code generated by hardware TOTP token or other hardware devices.
Perhaps this is a dumb question, but why can't we just use email for 2FA? (or maybe there is a way and we've just missed it?)
If email 2FA is not an option, which of the above 3 options would you recommend to minimise hassle?
(Option 1 looks simple but sounds like it's limited to individual devices? Option 2 - the idea of installing an app - irks us. With option 3 would we each need a hardware token?)
Any guidance would be appreciated. Thanks.
One configuration some people use is the KeePass desktop password manager, which supports storing TOTP seeds and has a nice UX for generating tokens; the password database file may be located as you see fit on a hard drive, DOK, cloud drive etc. Example of TOTP config for KeePass:
https://www.fhtino.it/docs/keepass-totp--intro/
Also, Keepass2Android can be used in similar vein from Android devices. iOS equivalents seem to exist as well.
There are open source solutions (I've used https://2fas.com/ ) and very common solutions (Google Authenticator).
You can even print out the QR code and put it in a secure location (safe, safe deposit box) as a break-glass in case everyone's phones cease functioning.
Forgive the ignorant questions, as you can tell we're pretty new to this stuff.
Kinda wish we could just use simple email 2FA to be honest!
Thanks for the reply.
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credenti...
As far as I know, you don't even have to have a google account to use Google Authenticator in many use cases. (You do if you want to back up your secrets.)
sudo apt install numberstation
I manage passwords with KeepassXC
sudo apt install keepassxc
There is also newer version with additional features:
https://github.com/keepassxreboot/keepassxc
As for the actual question: what browser/password manager in 2024 doesn't support both options 1 and 2?
I wish there were a simple step-by-step guide for (example) how to set up MFA in AWS using my browser/password manager. As in, an ELI5 explanation. Gosh that would help demystify this stuff! Not that it's mysterious or anything... but for the uninitiated it's a bit of a steep learning curve!
For the authenticator (TOTP), you just save a QR code where it tells you. Just google "TOTP <your password manager>" and I'm sure you will find a guide
I would make a passkey and stick it in Bitwarden so I have it with me on all my devices.
I would link my account to my authenticator app.
Then I would also register my yubikey I keep on my keychain.
If you had to pick 1, which of the 3 options is the most streamlined / causes you the least amount of hassle?
We're a relatively small dev team (~5 people) if that influences the answer in any way.
Thanks for the tips!
Passkeys are the quickest way to sign in.
Don't use a passkey on your computer, otherwise you will only be able to sign in from that computer.
If you find yourself struggling with passkeys, then the "authenticator" route is next best.
This just gives you a QR code, which you can also store in your password manager and have it generate one time codes.
If you have an authenticator app on your phone, you can rescan that same QR code to have the codes both places. (password manager and authenticator app)
This is only true if you don't use a password manager which syncs passkeys.