AWS Enhancing Security with Passkey Multi-Factor Authentication, here is what to know


AWS Enhancing Security with Passkey Multi-Factor Authentication, here is what to know

Security remains a paramount concern for businesses and organizations operating in the cloud. Amazon Web Services (AWS), a leading cloud service provider, recognizes this and continually strives to bolster security measures. In a recent announcement, AWS introduced support for FIDO2 passkeys as an additional method for multi-factor authentication (MFA). Let’s delve into the details.


What Are Passkeys?

Passkeys, in the context of FIDO2 authentication, refer to a pair of cryptographic keys generated on the user’s client device during registration for a service or website. These keys are unique to each web service domain. The public part of the key is stored on the service’s end, while the private part is securely stored on the user’s device. Access to the private key is protected by a PIN code or biometric authentication (such as Apple Face ID or Microsoft Hello).

How Passkey MFA Works

  1. Registration: When a user registers for a service, their client device generates a passkey pair. The public key is sent to the service, while the private key remains securely stored.
  2. Authentication Challenge: When the user attempts to authenticate, the service sends a challenge to their browser.
  3. Device Signature: The browser requests the device to sign the challenge using the private key. This triggers PIN or biometric authentication.
  4. Validation: If the signature is valid, the service confirms that the user owns the private key associated with the stored public key.

Why Passkeys Matter

  1. Phishing Resistance: Passkeys are more resistant to phishing attacks than traditional passwords. Since they are not entered manually, attackers cannot intercept them.
  2. Additional Layer of Security: Passkeys serve as a second factor alongside passwords. Combining something the user knows (password) with something they have (passkey) strengthens security.

Enabling Passkey MFA

To enable passkey MFA for your AWS account:

  1. Navigate to the AWS Identity and Access Management (IAM) section in the console.
  2. Select a user and scroll down to the Multi-factor authentication (MFA) section.
  3. Choose “Assign MFA device.”

Root Users and MFA

AWS emphasizes that root accounts must enable MFA by the end of July 2024. This proactive measure ensures robust security for the most sensitive account.


By embracing passkey MFA, AWS continues to prioritize security. Users can now benefit from enhanced protection against unauthorized access. As we move forward, let’s appreciate the balance between usability and security that passkeys bring to the cloud landscape.

Remember, security is a shared responsibility, and adopting best practices ensures a safer cloud experience. Stay vigilant and keep your passkeys close!

You think you have a story worth everyone’s time? SUBMIT A STORY and we will publish it.

Share this content:

Post Comment